On Fri, Mar 29, 2013 at 5:38 PM, Dhiru Kholia <dhiru.kholia(a)gmail.com>wrote:
that "FESCo requires some packages to use PIE and relro hardening by
It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
Such packages will typically include various system daemons, network
daemons and network enabled applications.
Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
The more general reference is
which (at least in my reading) already covers these cases. The
should just be fixed to comply.
(Perhaps the wording could be improved - right now the "Other packages may
enable the flags at the maintainer's discretion." contradicts the criteria
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
It's not only well-defined criteria (which we perhaps already have), but
also easy-to-check criteria or ideally easy-to-automate criteria, so that
this wouldn't require manual package maintainer decisions. Does anyone
have ideas how to design and implement such automatable criteria?
"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.
In other words, to enable PIE by default?
(For others - please read the FESCo ticket, it links to 2 papers measuring
the performance impact, although they probably don't measure the case we
are interested in, with PIE interacting with prelink - and they are all
synthetic benchmarks, not measuring actual system performance in real-world
The ~10% overhead on i686 makes this probably not worth it.
The ~3,6% overhead measured on x86_64 seems (with my little compiler
background) rather high - what do the compiler developers think? (Again,
note that the data we have probably don't measure the relevant case.)
Looking at it from another angle, enabling PIE impacts only code in
executables, not in libraries; how much of Fedora's CPU-intensive code
actually resides in executables? For image/video processing, I'd expect
the vast majority of the "hot" code to actually reside in libraries and
thus not be impacted by using PIE for executables; can anyone comment on
how are preformance-relevant applications (e.g. httpd, Java runtimes or say
Firefox) structured in this respect - or even better, measure it?