1 |
On 01/27/2012 02:39 PM, "Paweł Hajdan, Jr." wrote: |
2 |
> On 1/27/12 8:02 PM, Jason A. Donenfeld wrote: |
3 |
>> I've just been informed that RHEL does not allow non-PIE executables. We |
4 |
>> really should follow suit here. |
5 |
> I'm generally in favor of enabling more hardening features by default |
6 |
> (i.e. reversing the default, so that people who want to disable PIE can |
7 |
> still do it). Note that the hardened profile uses PIE by default iirc. |
8 |
|
9 |
Exactly. Jason, if you want PIE across the board (with a few |
10 |
exceptions), switch to hardened. |
11 |
|
12 |
> |
13 |
> The most common argument against it is performance loss I think, and |
14 |
> there are probably less than 10 packages that have some compilation |
15 |
> issues with PIE. In my opinion we can deal with that, and security |
16 |
> benefits are much more important. |
17 |
> |
18 |
> If the discussion on this doesn't get conclusive, how about adding the |
19 |
> question to the Council's agenda? |
20 |
> |
21 |
|
22 |
I'm trying to measure the perf difference on amd64 even as I type this. |
23 |
With nbench I'm only seeing about a 4% hit with PIE. I'm going to try |
24 |
to narrow it down to some POC code that you can play with. Mostly the |
25 |
hit comes on setting up call stacks because of the extra machinery in |
26 |
PIE. When I've investigated further I'll let the list know. |
27 |
|
28 |
-- |
29 |
Anthony G. Basile, Ph.D. |
30 |
Gentoo Linux Developer [Hardened] |
31 |
E-Mail : blueness@g.o |
32 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
33 |
GnuPG ID : D0455535 |