1 |
> I'm not sure exactly how ssp is implemented in a nuts and bolts sort of |
2 |
> way. However, I would say lowering the quality of the random data used |
3 |
> for the canary would be a bad idea. It could allow someone to more |
4 |
> easily compromise a system protected by ssp. |
5 |
|
6 |
|
7 |
There's no doubt that it lowers security, but I think even if you just |
8 |
picked a fixed canary value per system (say 42) then it already means |
9 |
that most buffer overflow attacks still fail.. |
10 |
|
11 |
Agreed that someone specifically targeting you will get in, but I'm far |
12 |
more worried about the general class of attacks... SSP is just one more |
13 |
layer of security, not the only layer |
14 |
|
15 |
Cheers |
16 |
|
17 |
Ed W |