ProPolice/SSP (Fantastic Japanese Stuff)


gcc modifications that catch some very common stack-smashing problems
http://www.trl.ibm.com/projects/security/ssp/

Since integration into OpenBSD more than a year ago, 26+ ProPolice
bugs have been found and fixed:

gcc with ProPolice equal quality as gcc without ProPolice (hah)

Much better than StackGuard
http://www1.corest.com/files/files/11/StackguardPaper.pdf
And does more than just i386 ...

Places the canary in the right place
Re-orders objects on the stack for safety
Weakness:  Poor algorithm for skipping protection on functions (work in progress)

(A kernel compiled with -fstack-protector-all is 1.3% slower at make build)


BENEFITS SECURITY:	Finds bugs and makes them unexploitable
VERY LOW COST:	Everyone should use it