Security-improving technologies which could be deployed now
Posted Oct 21, 2004 21:37 UTC (Thu) by bluefoxicy
In reply to: Security-improving technologies which could be deployed now
Parent article: Security-improving technologies which could be deployed now
Mudflap is an excellent technology. I would love to see it forced on developers via a Singapore prison guard holding a cane in one hand and a whip in the other. ;)
That being said, deployment of software built with Mudflap is a horribly bad idea. Mudflap is made to be a debugging tool, not a security tool, and has no place in use in production. It is there to help the programmer polish his program, not to play goalie on your web server.
The combination of the technologies is an excellent prospect. On the developer's end, things such as Mozilla are built with Mudflap. These binaries give a load of information about what is broken, which is used to fix that. The binaries shipped to regular users are instead compiled with SSP and without Mudflap. These binaries will run much more efficiently, and will dterminate if a buffer overflow bug still exists and is manifested, such as during an attack.
Let's also note that most software will run fine until attacked with SSP. This shows that the buffers aren't being overflowed in normal use. If they are not overflowed, Mudflap will probably not see anything wrong, and thus will be deployed a vulnerable program. Upon being exploited, SSP will terminate the program, and as a bonus feed back a little bit of data which can be used to track down where the bug occurred.
Both technologies have their uses, and both should be used gratuitously.
to post comments)