![[LWN Logo]](/images/lwn.banner.gif)
From: Crispin Cowan <crispin@cse.ogi.edu>
Subject: StackGuarded Red Hat 5.2 Released
To: lwn@lwn.net
Date: Fri, 8 Oct 1999 14:01:28 -0700 (PDT)
We have just released the (long-awaited :-) StackGuarded Red Hat 5.2 Linux
distribution. We have also moved. The new home page for StackGuard in
particular, and Immunix in general, is now:
http://immunix.org/
About WireX StackGuard:
StackGuard is a compiler for producing programs that are resistant to
the "stack smashing" variety of buffer overflow attacks. StackGuard
does this by emitting code to do integrity checks on the stack for
every function call. If the activation record has been corrupted
when a function tries to return, instead of handing control to the
attacker by jumping to the attacker's code, StackGuard syslog's the
intrusion attempt and halts the program.
StackGuard is implemented as a small patch to gcc. Programs should
transparently recompile with StackGuard protection without difficulty.
This new release includes an improved StackGuard compiler with the
following enhancements:
Faster: the integrity checking procedure has been improved to
use fewer instructions.
General Random Canary Support: StackGuard now provides for both
the "Terminator" and "Random" styles of integrity checking
in both normal code and in shared libraries.
About the StackGuarded Red Hat 5.2 Linux Distribution:
We have re-compiled all of the C programs that come with a Red Hat
5.2 Linux distribution with StackGuard. The result is a system
that is generally impervious to stack smashing. We have had this
system running in production on our workstations for over two months,
with no difficulties encountered.
Previously, we built Red Hat 5.1 with an older StackGuard.
That version has been running in production for over a year without
difficulties. We have had hundreds of downloads, with no bugs found.
We have benchmarked StackGuard protection overhead using the WebStone
benchmark against a StackGuarded Apache server, and a SSH throughput
experiment through the loopback interface. In both cases, StackGuard
protection for these security-critical network services imposed no
noticable overhead.
About Immunix.org:
Immunix.org is the freeware security portal of WireX Communications,
Inc. Immunix.org will provide a variety of security enhancing
tools, and secured Linux systems. This distribution will be known as
"WireX Immunix". Presently the Immunix Linux distribution is Red
Hat 5.2 protected with StackGuard, but it will grow to include a
variety of security enhancing tools. Details are available on line
at http://immunix.org/
<warning: marketing blurb :->
About WireX Communications, Inc.: http://wirex.com/
WireX Communications, Inc. has taken on both freeware and commercial
development of Immunix technologies, including StackGuard. WireX
develops and markets a broad range of network appliance server
software for OEMs and network solution porividers. WireX products
are based on the WireX Immunix operating system. Coupled with
the WireX JDM (Java Deployment Manager), the WireX network server
appliances can support users ranging from small-businesses to
enterprise level operations with much lower administration costs
and lower total-cost-of-ownership.
(sorry about this; the legal people made me do it :-)
WireX is a registered trademark of WireX Communications, Inc.
Immunix and StackGuard are trademarks of WireX Communications, Inc.
All other marks are the property of their respective owners.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com