On Wed, Feb 04, 2004 at 01:26:29PM +0800, Leon Harris wrote: > Certain apps (notably java virtual machines) manipulate stack return > addresses. I understood that one of the advantages of Immunix's product > StackGuard was that you could still run these types of apps by > statically linking them against a normal libc (and chrooting them or > otherwise confining them). If the protection is mandatory, and in > hardware, then surely these types of app wont work. Leon, the limitations with StackGuard and Java Just in Time compilers and virtual machines have been removed with newer versions of StackGuard. StackGuard 2, based on egcs (gcc 2.91.66), had an unfortunate location in the stack layout for the canary which caused problems for applications that 'knew' the stack layout well enough to introspect the stack. Newer versions of StackGuard have since remedied the location of the canary (to be more secure, while we're at it) such that applications that are stack-introspective no longer need to be patched to know a 'new' stack layout. StackGuard 3 uses a better location that is transparent to gdb, mozilla, JITs, etc. Of course, I don't want to say what forms of applications may or may not run on a SmashGuard system; however, the JVMs and JITs may or may not function on SmashGuard on their own merits -- it was a limitation of earlier StackGuard releases that caused problems for JVMs, JITs, gdb, mozilla, etc. Further information on StackGuard 3 may be found at: http://immunix.org/stackguard.html More information will be posted to this page as StackGuard continues development, and we will periodically announce new developments to the low traffic immunix-announce mail list: http://mail.immunix.com/mailman/listinfo/immunix-announce Thanks Leon -- Immunix Secured Linux Distribution: http://immunix.org/
Attachment:
pgpLG4T2nHe1E.pgp
Description: PGP signature