On 2/23/19 4:36 PM, Dave Taht wrote: > Hauke Mehrtens <ha...@hauke-m.de> writes: > >> On 2/13/19 11:51 PM, Felix Fietkau wrote: >>> On 2019-02-13 23:15, Hauke Mehrtens wrote: >>>> This will build all executable as Position Independent Executables (PIE) >>>> by default. PIE executable can make full use of Address Space Layout >>>> Randomization (ASLR) because all sections can be placed at random >>>> offsets of the executed program. This makes it harder to exploit bugs >>>> in our binaries. >>>> >>>> This will increase the size of executable, libraries are already build >>>> position independent and their size will not change. >>>> >>>> This increases the size of the resulting images by about 3% on MIPS BE. >>>> I tested this with the default configuration for the lantiq xrx200 >>>> target. >>>> >>>> The size of the initramfs binaries increased by 2.88%: >>>> Without PIE: >>>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>>> With PIE: >>>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>>> >>>> With PIE activated the executable are getting bigger, here are some >>>> examples from the lantiq mips_24kc target: >>>> >>>> Without PIE: >>>> 112.309 /bin/opkg >>>> 299.061 /bin/busybox >>>> 456.549 /usr/sbin/wpad >>>> >>>> With PIE: >>>> 142.496 /bin/opkg (26.87% increase) >>>> 388.404 /bin/busybox (29.87% increase) >>>> 580.128 /usr/sbin/wpad (27.06% increase) >>>> >>>> With PIE activated the sections of the binaries are loaded to >>>> different offsets for each program instance like shown here: >>>> >>>> root@OpenWrt:/# cat /proc/self/maps >>>> 555c4000-55622000 r-xp 00000000 00:02 1030 /bin/busybox >>>> 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox >>>> 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox >>>> 55633000-55634000 rwxp 00000000 00:00 0 >>>> 77ee2000-77f04000 r-xp 00000000 00:02 331 /lib/libgcc_s.so.1 >>>> 77f04000-77f05000 r-xp 00012000 00:02 331 /lib/libgcc_s.so.1 >>>> 77f05000-77f06000 rwxp 00013000 00:02 331 /lib/libgcc_s.so.1 >>>> 77f06000-77f9a000 r-xp 00000000 00:02 329 /lib/libc.so >>>> 77fa9000-77fab000 rwxp 00093000 00:02 329 /lib/libc.so >>>> 77fab000-77fad000 rwxp 00000000 00:00 0 >>>> 7fb26000-7fb47000 rw-p 00000000 00:00 0 [stack] >>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0 >>>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0 [vvar] >>>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0 [vdso] >>>> root@OpenWrt:/# cat /proc/self/maps >>>> 5561d000-5567b000 r-xp 00000000 00:02 1030 /bin/busybox >>>> 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox >>>> 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox >>>> 5568c000-5568d000 rwxp 00000000 00:00 0 >>>> 77e8e000-77eb0000 r-xp 00000000 00:02 331 /lib/libgcc_s.so.1 >>>> 77eb0000-77eb1000 r-xp 00012000 00:02 331 /lib/libgcc_s.so.1 >>>> 77eb1000-77eb2000 rwxp 00013000 00:02 331 /lib/libgcc_s.so.1 >>>> 77eb2000-77f46000 r-xp 00000000 00:02 329 /lib/libc.so >>>> 77f55000-77f57000 rwxp 00093000 00:02 329 /lib/libc.so >>>> 77f57000-77f59000 rwxp 00000000 00:00 0 >>>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0 [stack] >>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0 >>>> 7ff60000-7ff61000 r--p 00000000 00:00 0 [vvar] >>>> 7ff61000-7ff62000 r-xp 00000000 00:00 0 [vdso] >>>> root@OpenWrt:/# >>>> >>>> Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de> >>>> --- >>>> >>>> I would like to get some comments if we should activate PIE by default. >>>> The advantage is that it will be harder to exploit OpenWrt, but on the >>>> other hand the binaries are getting bigger. We could also restrict this >>>> to some CPU types, but as targets share the binaries it is not really >>>> possible to do this based on the target. >>>> >>>> I am not sure if this should go into the next release or wait for later. >>>> >>>> This could also break some packages, as it is possible to activate PIE >>>> by default for some time many bugs are already fixed, but probably not >>>> all of them. >>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE >>> mode where packages can opt-in individually? >> >> So we should probably make it a chose with 3 options: >> 1. No PIE >> 2. Use PIE for exposed binaries >> 3. Use PIE for all binaries > > I hate that we have to make choices like this for space reasons. Option > 2 will help but means attackers will try to go after something else.
We could also make this depended n the architecture, I think device with ARM64 or x86 CPU normally also have much RAM and flash, while many MIPS based devices are constrained. > By exposed, you mean "on the network", I guess? Yes with exposed applications I meant exposed from the network like dnsmasq, dropbear and so on. >> Then we need something in addition to the existing PKG_ASLR_PIE we >> already have to deactivate it. >> >> Do we want a generic name like this: >> PKG_CRITICAL >> or something specific to PIE: >> PKG_ASLR_PIE_PREFERED >> >> Hauke _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel