Aleksander Adamowski ha scritto:
Giuseppe Ghibò wrote:
I would add also perl, php and python to the list and
would remove other non-server and non-suid client applications,
otherwise better to apply stack protection to everything...
Added.
I've built our gcc RPM with stackprotector enabled some
months ago (latest were gcc-3.3-2mdk(s) for cooker, and
gcc-3.2.2-3mdk(s) for 9.1).
IMHO what this could replace is the %serverbuild macro, which
should have -fstack-protector enabled.
I don't know that macro, that's interesting. You could add this idea to
the Wiki page.
if I remember right such macro just avoid omitting frame pointer for
getting libsafe working.
From benchmark (ssbench) I don't see any appreciable slow
down, but it would be interesting to see some BIG benchmark
for instance to Apache or some mailer, to see the
effective impact. If someone has one or is willing to do
some intensive benchmark...
See this page:
<http://www.trl.ibm.com/projects/security/ssp/node5.html#SECTION00051000000000000000>
They state that in worst case it can add 8% performance loss. Worst case
being a program that uses massive amounts of function calls, with
extremely short function bodies. In practice, it's been shown to not
exceed 4% with the Perl benchmark, and be close to 0% for imapd.
Honestly I would trust to benchmark made myself, or at least reproducibile,
otherwise is like considering only BOGOMIPS... ;-)
As I said on a quick benchmark with ssbench I get results even more optmistic,
but would be better to do test on the real word and on INTENSIVE
tasks (e.g. some WebBench for apache, or for instance some
mailer with amavis + spamassassin [etc.]).
Also consider that in most cases servers could be tweaked in kernel
parameters to achieve even 50% better performance (e.g. tuning parameters
in sysctl.conf), so IMHO a 5% loss is not that dramatic (at least for
servers).
Bye.
Giuseppe.
