Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? - gentoo-dev

From:	"Anthony G. Basile" <blueness@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor?
Date:	Sat, 28 Jan 2012 12:28:19
Message-Id:	`4F23E993.5050701@gentoo.org`
In Reply to:	Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? by Mike Frysinger

1

On 01/27/2012 07:12 PM, Mike Frysinger wrote:

2

> On Friday 27 January 2012 16:05:13 Jason A. Donenfeld wrote:

3

>> On Fri, Jan 27, 2012 at 21:13, "Paweł Hajdan, Jr." wrote:

4

>>> Again - only if we don't get a consensus here.

5

>> Wait... Is anybody here *actually opposed* to not enabling PIE on *SUID

6

>> binaries*?

7

> he was talking system wide

8

>

9

> considering the number set*id binaries in the tree, and their requirements

10

> (they tend to not be performance sensitive in the slightest), i don't have a

11

> problem with steering them in the PIE direction.

12

>

13

> ignoring /usr/bin/Xorg here of course, but that has a lot more problems that i

14

> doubt PIE will make much of a difference.

15

> -mike

16

17

I've run nbench on two amd64 systems both running the same kernel 

18

vanilla-3.2.2.  They only differed in that one uses the hardened 

19

toolchain and the other with a vanilla toolchain.  nbench itself was 

20

compile pie on the former and no-pie on the later.  I found negligible 

21

difference in performance.

22

23

So at least on amd64, I don't think that performance is ever an issue.  

24

I have yet to look at x86.

25

26

27

Below I give more info.

28

29

30

Here's the result for the hardened system.

31

32

# time -p /usr/bin/nbench

33

34

BYTEmark* Native Mode Benchmark ver. 2 (10/95)

35

Index-split by Andrew D. Balsa (11/97)

36

Linux/Unix* port by Uwe F. Mayer (12/96,11/97)

37

38

TEST                : Iterations/sec.  : Old Index   : New Index

39

                     :                  : Pentium 90* : AMD K6/233*

40

--------------------:------------------:-------------:------------

41

NUMERIC SORT        :          1172.2  :      30.06  :       9.87

42

STRING SORT         :          533.16  :     238.23  :      36.87

43

BITFIELD            :      5.0544e+08  :      86.70  :      18.11

44

FP EMULATION        :          150.32  :      72.13  :      16.64

45

FOURIER             :           30498  :      34.69  :      19.48

46

ASSIGNMENT          :          35.543  :     135.25  :      35.08

47

IDEA                :            8060  :     123.28  :      36.60

48

HUFFMAN             :          2549.8  :      70.71  :      22.58

49

NEURAL NET          :          58.377  :      93.78  :      39.45

50

LU DECOMPOSITION    :          1909.8  :      98.94  :      71.44

51

==========================ORIGINAL BYTEMARK RESULTS==========================

52

INTEGER INDEX       : 91.279

53

FLOATING-POINT INDEX: 68.525

54

Baseline (MSDOS*)   : Pentium* 90, 256 KB L2-cache, Watcom* compiler 10.0

55

==============================LINUX DATA BELOW===============================

56

CPU                 : 8 CPU GenuineIntel Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz 2673MHz

57

L2 Cache            : 8192 KB

58

OS                  : Linux 3.2.2

59

C compiler          : x86_64-pc-linux-gnu-gcc

60

libc                :

61

MEMORY INDEX        : 28.613

62

INTEGER INDEX       : 19.197

63

FLOATING-POINT INDEX: 38.007

64

Baseline (LINUX)    : AMD K6/233*, 512 KB L2-cache, gcc 2.7.2.3, libc-5.4.38

65

* Trademarks are property of their respective holder.

66

real 252.44

67

user 252.26

68

sys 0.01

Here's the result for the vanilla system

73

74

  # time -p /usr/bin/nbench

75

76

BYTEmark* Native Mode Benchmark ver. 2 (10/95)

77

Index-split by Andrew D. Balsa (11/97)

78

Linux/Unix* port by Uwe F. Mayer (12/96,11/97)

79

80

TEST                : Iterations/sec.  : Old Index   : New Index

81

                     :                  : Pentium 90* : AMD K6/233*

82

--------------------:------------------:-------------:------------

83

NUMERIC SORT        :          1179.4  :      30.25  :       9.93

84

STRING SORT         :          540.12  :     241.34  :      37.36

85

BITFIELD            :      5.0565e+08  :      86.74  :      18.12

86

FP EMULATION        :          164.64  :      79.00  :      18.23

87

FOURIER             :           30785  :      35.01  :      19.66

88

ASSIGNMENT          :          35.677  :     135.76  :      35.21

89

IDEA                :          7984.8  :     122.13  :      36.26

90

HUFFMAN             :            2686  :      74.48  :      23.78

91

NEURAL NET          :          57.097  :      91.72  :      38.58

92

LU DECOMPOSITION    :          1887.4  :      97.78  :      70.60

93

==========================ORIGINAL BYTEMARK RESULTS==========================

94

INTEGER INDEX       : 93.349

95

FLOATING-POINT INDEX: 67.966

96

Baseline (MSDOS*)   : Pentium* 90, 256 KB L2-cache, Watcom* compiler 10.0

97

==============================LINUX DATA BELOW===============================

98

CPU                 : 8 CPU GenuineIntel Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz 2673MHz

99

L2 Cache            : 8192 KB

100

OS                  : Linux 3.2.2

101

C compiler          : x86_64-pc-linux-gnu-gcc

102

libc                :

103

MEMORY INDEX        : 28.777

104

INTEGER INDEX       : 19.879

105

FLOATING-POINT INDEX: 37.696

106

Baseline (LINUX)    : AMD K6/233*, 512 KB L2-cache, gcc 2.7.2.3, libc-5.4.38

107

* Trademarks are property of their respective holder.

108

real 252.37

109

user 252.19

110

sys 0.01

111

112

113

The CPU is an 8 core i7

114

115

processor	: 7

116

vendor_id	: GenuineIntel

117

cpu family	: 6

118

model		: 26

119

model name	: Intel(R) Core(TM) i7 CPU         920  @ 2.67GHz

120

stepping	: 5

121

microcode	: 0xb

122

cpu MHz		: 2673.112

123

cache size	: 8192 KB

124

physical id	: 0

125

siblings	: 8

126

core id		: 3

127

cpu cores	: 4

128

apicid		: 7

129

initial apicid	: 7

130

fpu		: yes

131

fpu_exception	: yes

132

cpuid level	: 11

133

wp		: yes

134

flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow vnmi flexpriority ept vpid

135

bogomips	: 5344.67

136

clflush size	: 64

137

cache_alignment	: 64

138

address sizes	: 36 bits physical, 48 bits virtual

139

power management:

--

145

Anthony G. Basile, Ph.D.

146

Gentoo Linux Developer [Hardened]

147

E-Mail    : blueness@g.o

148

GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535

149

GnuPG ID  : D0455535

Gentoo Archives: gentoo-dev

Replies

1	On 01/27/2012 07:12 PM, Mike Frysinger wrote:
2	> On Friday 27 January 2012 16:05:13 Jason A. Donenfeld wrote:
3	>> On Fri, Jan 27, 2012 at 21:13, "Paweł Hajdan, Jr." wrote:
4	>>> Again - only if we don't get a consensus here.
5	>> Wait... Is anybody here actually opposed to not enabling PIE on *SUID
6	>> binaries*?
7	> he was talking system wide
8	>
9	> considering the number set*id binaries in the tree, and their requirements
10	> (they tend to not be performance sensitive in the slightest), i don't have a
11	> problem with steering them in the PIE direction.
12	>
13	> ignoring /usr/bin/Xorg here of course, but that has a lot more problems that i
14	> doubt PIE will make much of a difference.
15	> -mike
16
17	I've run nbench on two amd64 systems both running the same kernel
18	vanilla-3.2.2. They only differed in that one uses the hardened
19	toolchain and the other with a vanilla toolchain. nbench itself was
20	compile pie on the former and no-pie on the later. I found negligible
21	difference in performance.
22
23	So at least on amd64, I don't think that performance is ever an issue.
24	I have yet to look at x86.
25
26
27	Below I give more info.
28
29
30	Here's the result for the hardened system.
31
32	# time -p /usr/bin/nbench
33
34	BYTEmark* Native Mode Benchmark ver. 2 (10/95)
35	Index-split by Andrew D. Balsa (11/97)
36	Linux/Unix* port by Uwe F. Mayer (12/96,11/97)
37
38	TEST : Iterations/sec. : Old Index : New Index
39	: : Pentium 90* : AMD K6/233*
40	--------------------:------------------:-------------:------------
41	NUMERIC SORT : 1172.2 : 30.06 : 9.87
42	STRING SORT : 533.16 : 238.23 : 36.87
43	BITFIELD : 5.0544e+08 : 86.70 : 18.11
44	FP EMULATION : 150.32 : 72.13 : 16.64
45	FOURIER : 30498 : 34.69 : 19.48
46	ASSIGNMENT : 35.543 : 135.25 : 35.08
47	IDEA : 8060 : 123.28 : 36.60
48	HUFFMAN : 2549.8 : 70.71 : 22.58
49	NEURAL NET : 58.377 : 93.78 : 39.45
50	LU DECOMPOSITION : 1909.8 : 98.94 : 71.44
51	==========================ORIGINAL BYTEMARK RESULTS==========================
52	INTEGER INDEX : 91.279
53	FLOATING-POINT INDEX: 68.525
54	Baseline (MSDOS) : Pentium 90, 256 KB L2-cache, Watcom* compiler 10.0
55	==============================LINUX DATA BELOW===============================
56	CPU : 8 CPU GenuineIntel Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz 2673MHz
57	L2 Cache : 8192 KB
58	OS : Linux 3.2.2
59	C compiler : x86_64-pc-linux-gnu-gcc
60	libc :
61	MEMORY INDEX : 28.613
62	INTEGER INDEX : 19.197
63	FLOATING-POINT INDEX: 38.007
64	Baseline (LINUX) : AMD K6/233*, 512 KB L2-cache, gcc 2.7.2.3, libc-5.4.38
65	* Trademarks are property of their respective holder.
66	real 252.44
67	user 252.26
68	sys 0.01
69
70
71
72	Here's the result for the vanilla system
73
74	# time -p /usr/bin/nbench
75
76	BYTEmark* Native Mode Benchmark ver. 2 (10/95)
77	Index-split by Andrew D. Balsa (11/97)
78	Linux/Unix* port by Uwe F. Mayer (12/96,11/97)
79
80	TEST : Iterations/sec. : Old Index : New Index
81	: : Pentium 90* : AMD K6/233*
82	--------------------:------------------:-------------:------------
83	NUMERIC SORT : 1179.4 : 30.25 : 9.93
84	STRING SORT : 540.12 : 241.34 : 37.36
85	BITFIELD : 5.0565e+08 : 86.74 : 18.12
86	FP EMULATION : 164.64 : 79.00 : 18.23
87	FOURIER : 30785 : 35.01 : 19.66
88	ASSIGNMENT : 35.677 : 135.76 : 35.21
89	IDEA : 7984.8 : 122.13 : 36.26
90	HUFFMAN : 2686 : 74.48 : 23.78
91	NEURAL NET : 57.097 : 91.72 : 38.58
92	LU DECOMPOSITION : 1887.4 : 97.78 : 70.60
93	==========================ORIGINAL BYTEMARK RESULTS==========================
94	INTEGER INDEX : 93.349
95	FLOATING-POINT INDEX: 67.966
96	Baseline (MSDOS) : Pentium 90, 256 KB L2-cache, Watcom* compiler 10.0
97	==============================LINUX DATA BELOW===============================
98	CPU : 8 CPU GenuineIntel Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz 2673MHz
99	L2 Cache : 8192 KB
100	OS : Linux 3.2.2
101	C compiler : x86_64-pc-linux-gnu-gcc
102	libc :
103	MEMORY INDEX : 28.777
104	INTEGER INDEX : 19.879
105	FLOATING-POINT INDEX: 37.696
106	Baseline (LINUX) : AMD K6/233*, 512 KB L2-cache, gcc 2.7.2.3, libc-5.4.38
107	* Trademarks are property of their respective holder.
108	real 252.37
109	user 252.19
110	sys 0.01
111
112
113	The CPU is an 8 core i7
114
115	processor : 7
116	vendor_id : GenuineIntel
117	cpu family : 6
118	model : 26
119	model name : Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz
120	stepping : 5
121	microcode : 0xb
122	cpu MHz : 2673.112
123	cache size : 8192 KB
124	physical id : 0
125	siblings : 8
126	core id : 3
127	cpu cores : 4
128	apicid : 7
129	initial apicid : 7
130	fpu : yes
131	fpu_exception : yes
132	cpuid level : 11
133	wp : yes
134	flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm ida dts tpr_shadow vnmi flexpriority ept vpid
135	bogomips : 5344.67
136	clflush size : 64
137	cache_alignment : 64
138	address sizes : 36 bits physical, 48 bits virtual
139	power management:
140
141
142
143
144	--
145	Anthony G. Basile, Ph.D.
146	Gentoo Linux Developer [Hardened]
147	E-Mail : blueness@g.o
148	GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
149	GnuPG ID : D0455535