<div dir="ltr">Hello,<br><div><div class="gmail_extra">On Fri, Mar 29, 2013 at 5:38 PM, Dhiru Kholia <span dir="ltr"><<a href="mailto:dhiru.kholia@gmail.com" target="_blank">dhiru.kholia@gmail.com</a>></span> wrote:<br>
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="http://fedoraproject.org/wiki/Hardened_Packages" target="_blank">http://fedoraproject.org/wiki/Hardened_Packages</a> page mentions<br>
that "FESCo requires some packages to use PIE and relro hardening by<br>
default."<br>
<br>
It would be great if this list could be expanded to include even more<br>
packages which are at comparatively more risk of being exploited (locally<br>
or remotely).<br>
<br>
Such packages will typically include various system daemons, network<br>
daemons and network enabled applications.<br>
<br>
Lot of network daemons are already using PIE and RELRO (e.g. httpd,<br>
MariaDB). So a natural question is why packages in same "network<br>
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being<br>
hardened?<br></blockquote><div><br></div><div>The more general reference is <a href="https://fedoraproject.org/wiki/Packaging:Guidelines?rd=PackagingGuidelines#PIE">https://fedoraproject.org/wiki/Packaging:Guidelines?rd=PackagingGuidelines#PIE</a> , which (at least in my reading) already covers these cases. The packages should just be fixed to comply.<br>
<br></div><div>(Perhaps the wording could be improved - right now the "Other packages may enable the flags at the maintainer's discretion." contradicts the criteria above it.)<br></div><div> <br></div><div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
1. Hardening flags should be turned on (by default) for all packages<br>
which are at comparatively more risk of being exploited or which meet<br>
some well-defined criteria (suggestions welcome).<br></blockquote><div><br></div><div>It's not only well-defined criteria (which we perhaps already have), but also easy-to-check criteria or ideally easy-to-automate criteria, so that this wouldn't require manual package maintainer decisions. Does anyone have ideas how to design and implement such automatable criteria?<br>
<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
"Packaging Guidelines" say that "Other packages may enable the flags at<br>
the maintainer's discretion."<br>
<br>
Thinking from a security perspective, I find "Hardening flags can only<br>
be disabled for other packages at the maintainer's discretion provided<br>
enough justification is given to FESCo" to be more appropriate.<br></blockquote><div><br>In other words, to enable PIE by default?<br><br></div><div>(For others - please read the FESCo ticket, it links to 2 papers measuring the performance impact, although they probably don't measure the case we are interested in, with PIE interacting with prelink - and they are all synthetic benchmarks, not measuring actual system performance in real-world use.)<br>
</div><div> </div>The ~10% overhead on i686 makes this probably not worth it.<br><br>The ~3,6% overhead measured on x86_64 seems (with my little compiler background) rather high - what do the compiler developers think? (Again, note that the data we have probably don't measure the relevant case.)<br>
<br><br></div><div class="gmail_quote">Looking at it from another angle, enabling PIE impacts only code in executables, not in libraries; how much of Fedora's CPU-intensive code actually resides in executables? For image/video processing, I'd expect the vast majority of the "hot" code to actually reside in libraries and thus not be impacted by using PIE for executables; can anyone comment on how are preformance-relevant applications (e.g. httpd, Java runtimes or say Firefox) structured in this respect - or even better, measure it?<br>
</div><div class="gmail_quote"> Mirek<br></div></div></div></div>