Hello, On Fri, Mar 29, 2013 at 5:38 PM, Dhiru Kholia <dhiru.kho...@gmail.com>wrote:
> http://fedoraproject.org/wiki/Hardened_Packages page mentions > that "FESCo requires some packages to use PIE and relro hardening by > default." > > It would be great if this list could be expanded to include even more > packages which are at comparatively more risk of being exploited (locally > or remotely). > > Such packages will typically include various system daemons, network > daemons and network enabled applications. > > Lot of network daemons are already using PIE and RELRO (e.g. httpd, > MariaDB). So a natural question is why packages in same "network > daemons" class like PostgreSQL, Dovecot and MongoDB aren't being > hardened? > The more general reference is https://fedoraproject.org/wiki/Packaging:Guidelines?rd=PackagingGuidelines#PIE, which (at least in my reading) already covers these cases. The packages should just be fixed to comply. (Perhaps the wording could be improved - right now the "Other packages may enable the flags at the maintainer's discretion." contradicts the criteria above it.) > 1. Hardening flags should be turned on (by default) for all packages > which are at comparatively more risk of being exploited or which meet > some well-defined criteria (suggestions welcome). > It's not only well-defined criteria (which we perhaps already have), but also easy-to-check criteria or ideally easy-to-automate criteria, so that this wouldn't require manual package maintainer decisions. Does anyone have ideas how to design and implement such automatable criteria? "Packaging Guidelines" say that "Other packages may enable the flags at > the maintainer's discretion." > > Thinking from a security perspective, I find "Hardening flags can only > be disabled for other packages at the maintainer's discretion provided > enough justification is given to FESCo" to be more appropriate. > In other words, to enable PIE by default? (For others - please read the FESCo ticket, it links to 2 papers measuring the performance impact, although they probably don't measure the case we are interested in, with PIE interacting with prelink - and they are all synthetic benchmarks, not measuring actual system performance in real-world use.) The ~10% overhead on i686 makes this probably not worth it. The ~3,6% overhead measured on x86_64 seems (with my little compiler background) rather high - what do the compiler developers think? (Again, note that the data we have probably don't measure the relevant case.) Looking at it from another angle, enabling PIE impacts only code in executables, not in libraries; how much of Fedora's CPU-intensive code actually resides in executables? For image/video processing, I'd expect the vast majority of the "hot" code to actually reside in libraries and thus not be impacted by using PIE for executables; can anyone comment on how are preformance-relevant applications (e.g. httpd, Java runtimes or say Firefox) structured in this respect - or even better, measure it? Mirek
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel