headers
Michael Steinfeld | 8 Oct 2009 04:17
Picon
Gravatar

Dear friend!

Hi,
I bought a TV last week from a website:www.hkeles.com.  I have
received the product. The quality is very good. They also sell
phones,motor,psp and so on. Because of the financial crisis, their
products are very cheap. by the way, they only sell new and original
products .If you need these products, you can have a look . I think
you will get many benefits.
Greetings!
Permalink | Reply | 0 comments |
headers
Brian A. Seklecki | 13 Oct 2009 21:24
Picon

Re: Dell PowerEdge r710 dmesg

On Tue, 2009-09-01 at 19:58 -0400, Jared D. McNeill wrote:
> You said "ACPI fails to enumerate the serial devices"; this is 
> because you are running the i386

All:

Obviously I was half asleep when I posted originally to
freeBSD-hardware <at> .  Here is the same machine DMESG for from NetBSD/amd64
10/01/2009 / NetBSD 5.99.18.

http://www.nycbug.org/?NAV=dmesgd;f_dmesg=;f_bsd=;f_nick=;f_descr=;dmesgid=2016#2016

~BAS
Permalink | Reply | 0 comments |
headers
Matthias Scheler | 18 Oct 2009 13:59
Picon
Favicon

Turning on stack protection by default


	Hello,

I'm using NetBSD/amd64 and NetBSD/i386 with stack smash protection enabled
ever since the feature was introduced into NetBSD. I've just fixed a bug
in "mdnsd" which was caught by SSP.(*)

Considering that this feature helps finding bugs and increases system
security I would like to suggest to turn in on by default on these
two NetBSD ports.

What do other people think about this?

	Kind regards

(*) http://mail-index.netbsd.org/source-changes/2009/10/18/msg002034.html

--

-- 
Matthias Scheler                                  http://zhadum.org.uk/
Permalink | Reply | 17 comments |
headers
Daniel Carosone | 23 Oct 2009 01:50
Picon

Re: Turning on stack protection by default

On Sun, Oct 18, 2009 at 12:59:29PM +0100, Matthias Scheler wrote:
> Considering that this feature helps finding bugs and increases system
> security I would like to suggest to turn in on by default on these
> two NetBSD ports.
> 
> What do other people think about this?

+1

--
Dan.
Permalink | Reply | 0 comments |
headers
Matthias Scheler | 23 Oct 2009 10:20
Picon
Favicon

Re: Turning on stack protection by default

On Fri, Oct 23, 2009 at 01:47:54AM +0100, Mindaugas Rasiukevicius wrote:
> > Considering that this feature helps finding bugs and increases system
> > security I would like to suggest to turn in on by default on these
> > two NetBSD ports.
> 
> Can you provide some numbers how it affects performance?

I've attached a little test program which is very recursive.(*)
Where are the results on my NetBSD/amd64 5.0_STABLE system
which is driven by a ̣Xen 3040 CP running at 1.83GHz:

tron <at> colwyn:~>gcc fib.c -Wall -O2 -o fib  
tron <at> colwyn:~>time ./fib 42
42 -> 267914296
./fib 42  14.07s user 0.00s system 99% cpu 14.119 total
tron <at> colwyn:~>gcc fib.c -fstack-protector-all -Wstack-protector -Wall -O2 -o fib 
tron <at> colwyn:~>time ./fib 42
42 -> 267914296
./fib 42  15.07s user 0.00s system 98% cpu 15.261 total

That is 8% overhead in a program which I believe gets affected particular
bad by enabling stack protection.

	Kind regards

(*) Yes, this can be done much more efficient. The program is written
    to defeat some of GCC's optimisations and to enforce stack protection.

--

-- 
Matthias Scheler                                  http://zhadum.org.uk/
(Continue reading)

Permalink | Reply | 4 comments |
headers
Antti Kantee | 24 Oct 2009 16:44
Picon
Picon

Re: Turning on stack protection by default

On Fri Oct 23 2009 at 09:20:42 +0100, Matthias Scheler wrote:
> On Fri, Oct 23, 2009 at 01:47:54AM +0100, Mindaugas Rasiukevicius wrote:
> > > Considering that this feature helps finding bugs and increases system
> > > security I would like to suggest to turn in on by default on these
> > > two NetBSD ports.
> > 
> > Can you provide some numbers how it affects performance?
> 
> I've attached a little test program which is very recursive.(*)
> Where are the results on my NetBSD/amd64 5.0_STABLE system
> which is driven by a ?Xen 3040 CP running at 1.83GHz:
> 
> tron <at> colwyn:~>gcc fib.c -Wall -O2 -o fib  
> tron <at> colwyn:~>time ./fib 42
> 42 -> 267914296
> ./fib 42  14.07s user 0.00s system 99% cpu 14.119 total
> tron <at> colwyn:~>gcc fib.c -fstack-protector-all -Wstack-protector -Wall -O2 -o fib 
> tron <at> colwyn:~>time ./fib 42
> 42 -> 267914296
> ./fib 42  15.07s user 0.00s system 98% cpu 15.261 total
> 
> That is 8% overhead in a program which I believe gets affected particular
> bad by enabling stack protection.
> 
> 	Kind regards
> 
> (*) Yes, this can be done much more efficient. The program is written
>     to defeat some of GCC's optimisations and to enforce stack protection.

Hi,
(Continue reading)

Permalink | Reply | 3 comments |
headers
Antti Kantee | 25 Oct 2009 00:46
Picon
Picon

Re: Turning on stack protection by default

On Sat Oct 24 2009 at 22:55:14 +0100, Matthias Scheler wrote:
> > What's the effect on something that people might actually care about,
> > say build.sh ...
> 
> I could do that. But it would require downgrading all my systems
> to binaries with SSP. Why don't you test it? You have a NetBSD system
> without SSP. You can benchmark "build.sh" for producing safer
> binaries and that repeat the build once you have updated. ;-)

Yes, I could benchmark it.  However, it's easier for me to not do that
and say "I object".  It seems like there's a lot of "I'll propose this,
but someone else should do the work in showing that I'm right" going on
in NetBSD this weekend ... ;)

> > ... or apachebench?
> 
> What would that demonstrate except that the network is the bottleneck?

It would demonstrate how much SSP might (not) be a problem for a given
real application (apache and/or www client in this case).
Permalink | Reply | 1 comment |
headers
Mindaugas Rasiukevicius | 25 Oct 2009 18:25
Picon

Re: Turning on stack protection by default

Matthias Scheler <tron <at> zhadum.org.uk> wrote:
> On Sun, Oct 25, 2009 at 01:08:14AM +0200, Joerg Sonnenberger wrote:
> > Please do. I would actually suggest to make it the default on all ports
> > that are not heavily space constraint. Benchmarks in the past suggest
> > that the overhead for typical applications is between 1% and 5%.
> 
> And the worst case seems to be 8%. Such numbers are however not good
> enough for "certain people".

Perhaps enabling it on services/daemons (e.g. postfix, bind) would make
you feel better?

--

-- 
Mindaugas
Permalink | Reply | 1 comment |
headers
Matthias Scheler | 25 Oct 2009 22:01
Picon
Favicon

Re: Turning on stack protection by default

On Sun, Oct 25, 2009 at 05:25:16PM +0000, Mindaugas Rasiukevicius wrote:
> > And the worst case seems to be 8%. Such numbers are however not good
> > enough for "certain people".
> 
> Perhaps enabling it on services/daemons (e.g. postfix, bind) ...

You don't get the full protection unless the kernel and the libraries
use SSP as well.

> ... would make you feel better?

I don't mind 8% *worst case* performance degradation for a more secure
and stable system.

	Kind regards

--

-- 
Matthias Scheler                                  http://zhadum.org.uk/
Permalink | Reply | 0 comments |
headers
Matthias Scheler | 25 Oct 2009 22:05
Picon
Favicon

Re: Turning on stack protection by default

On Sun, Oct 25, 2009 at 06:33:53PM +0100, Tobias Nygren wrote:
> Below are two runs of SunSpider on firefox-3.5.3, NetBSD-5.99.21-amd64
> before and after installation of a USE_SSP=yes userland.

I've run "build.sh -j 8 -x release" on a four core virtual machine twice.
The build always produced binaries without SSP. But the build system
itself was switched from SSP (kernel and userland) to no SSP (again
kernel and userland):

With SSP:	4155.43s user 10035.32s system 358% cpu 1:06:00.27 total
Without SSP:	4442.54s user 9290.31s system 362% cpu 1:03:06.49 total

The build got slower by 4.8% in my test case.

	Kind regards

--

-- 
Matthias Scheler                                  http://zhadum.org.uk/
Permalink | Reply | 2 comments |

Gmane