On Thu, Sep 5, 2013 at 7:09 AM, Tom Wijsman <tom...@gentoo.org> wrote: > On Thu, 05 Sep 2013 12:54:27 +0200 > Agostino Sarubbo <a...@gentoo.org> wrote: > >> On Thursday 05 September 2013 12:47:01 Tom Wijsman wrote: >> > What I wonder about here is at which cost this does come, when >> > looking at the fstack-protector then I see that it "emits extra >> > code"; so, now the question is what kind of overhead this causes. >> >> We use -fstack-protector-all in the hardened profile, so it is not >> unknown at all. >> >> > I am pretty sure security might not be that important on a real time >> > system that perhaps isn't connected to the internet; so, besides >> > making it the default, we might want to introduce the necessary >> > means to turn it off again, by the very least perhaps documentation >> > would suffice. >> > >> > Do you intend to discuss that flag or more generally any security >> > flag? >> >> I just want to point out the thread because other people will have >> something to say about. > > Yes, I am aware of that, I am not saying it is unknown; but I am > wondering about those questions: What kind of overhead does this cause? > Do you intend to discuss that flag or more generally any security flag? >
I suspect that this it is minimal in most cases. I used to use stack protection for everything in the early days of amd64 and didn't have performance issues when CPUs were considerably slower. The bigger issue was compatibility, which has likely improved. I believe many distros are using these flags more widely now, so the compatibility issues may no longer exist. Before any decision could be made we would at least need to assess the compatibility issues for a broad number of packages. Sure, we have hardened, but that is no reason to not consider enabling the flag by default. If the flag improves security and generally has minimal downside then there really is no reason not to do so. Hardened includes a lot of security improvements that come at a cost of additional configuration, compatibility concerns, etc. And to reduce the number of replies - I do realize that no compiler option is a panacea whether we're talking about optimization or security. However, good security includes defense in depth, and stack protection is an example of this. Well-audited and designed code still benefits from algorithmic protection since no review can be certain to eliminate all security problems for a program of anything more than trivial complexity. I keep my system up-to-date and yet I still run it behind a firewall. Rich
