From: Crispin Cowan <crispin@cse.ogi.edu> Subject: StackGuarded Red Hat 5.2 Released To: lwn@lwn.net Date: Fri, 8 Oct 1999 14:01:28 -0700 (PDT) We have just released the (long-awaited :-) StackGuarded Red Hat 5.2 Linux distribution. We have also moved. The new home page for StackGuard in particular, and Immunix in general, is now: http://immunix.org/ About WireX StackGuard: StackGuard is a compiler for producing programs that are resistant to the "stack smashing" variety of buffer overflow attacks. StackGuard does this by emitting code to do integrity checks on the stack for every function call. If the activation record has been corrupted when a function tries to return, instead of handing control to the attacker by jumping to the attacker's code, StackGuard syslog's the intrusion attempt and halts the program. StackGuard is implemented as a small patch to gcc. Programs should transparently recompile with StackGuard protection without difficulty. This new release includes an improved StackGuard compiler with the following enhancements: Faster: the integrity checking procedure has been improved to use fewer instructions. General Random Canary Support: StackGuard now provides for both the "Terminator" and "Random" styles of integrity checking in both normal code and in shared libraries. About the StackGuarded Red Hat 5.2 Linux Distribution: We have re-compiled all of the C programs that come with a Red Hat 5.2 Linux distribution with StackGuard. The result is a system that is generally impervious to stack smashing. We have had this system running in production on our workstations for over two months, with no difficulties encountered. Previously, we built Red Hat 5.1 with an older StackGuard. That version has been running in production for over a year without difficulties. We have had hundreds of downloads, with no bugs found. We have benchmarked StackGuard protection overhead using the WebStone benchmark against a StackGuarded Apache server, and a SSH throughput experiment through the loopback interface. In both cases, StackGuard protection for these security-critical network services imposed no noticable overhead. About Immunix.org: Immunix.org is the freeware security portal of WireX Communications, Inc. Immunix.org will provide a variety of security enhancing tools, and secured Linux systems. This distribution will be known as "WireX Immunix". Presently the Immunix Linux distribution is Red Hat 5.2 protected with StackGuard, but it will grow to include a variety of security enhancing tools. Details are available on line at http://immunix.org/ <warning: marketing blurb :-> About WireX Communications, Inc.: http://wirex.com/ WireX Communications, Inc. has taken on both freeware and commercial development of Immunix technologies, including StackGuard. WireX develops and markets a broad range of network appliance server software for OEMs and network solution porividers. WireX products are based on the WireX Immunix operating system. Coupled with the WireX JDM (Java Deployment Manager), the WireX network server appliances can support users ranging from small-businesses to enterprise level operations with much lower administration costs and lower total-cost-of-ownership. (sorry about this; the legal people made me do it :-) WireX is a registered trademark of WireX Communications, Inc. Immunix and StackGuard are trademarks of WireX Communications, Inc. All other marks are the property of their respective owners. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com