| 1 |
On 01/27/2012 02:39 PM, "Paweł Hajdan, Jr." wrote: |
| 2 |
> On 1/27/12 8:02 PM, Jason A. Donenfeld wrote: |
| 3 |
>> I've just been informed that RHEL does not allow non-PIE executables. We |
| 4 |
>> really should follow suit here. |
| 5 |
> I'm generally in favor of enabling more hardening features by default |
| 6 |
> (i.e. reversing the default, so that people who want to disable PIE can |
| 7 |
> still do it). Note that the hardened profile uses PIE by default iirc. |
| 8 |
|
| 9 |
Exactly. Jason, if you want PIE across the board (with a few |
| 10 |
exceptions), switch to hardened. |
| 11 |
|
| 12 |
> |
| 13 |
> The most common argument against it is performance loss I think, and |
| 14 |
> there are probably less than 10 packages that have some compilation |
| 15 |
> issues with PIE. In my opinion we can deal with that, and security |
| 16 |
> benefits are much more important. |
| 17 |
> |
| 18 |
> If the discussion on this doesn't get conclusive, how about adding the |
| 19 |
> question to the Council's agenda? |
| 20 |
> |
| 21 |
|
| 22 |
I'm trying to measure the perf difference on amd64 even as I type this. |
| 23 |
With nbench I'm only seeing about a 4% hit with PIE. I'm going to try |
| 24 |
to narrow it down to some POC code that you can play with. Mostly the |
| 25 |
hit comes on setting up call stacks because of the extra machinery in |
| 26 |
PIE. When I've investigated further I'll let the list know. |
| 27 |
|
| 28 |
-- |
| 29 |
Anthony G. Basile, Ph.D. |
| 30 |
Gentoo Linux Developer [Hardened] |
| 31 |
E-Mail : blueness@g.o |
| 32 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 33 |
GnuPG ID : D0455535 |
Archives