On Fri, Mar 29, 2013 at 5:38 PM, Dhiru Kholia <dhiru.kholia@gmail.com> wrote:
http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by

It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
or remotely).

Such packages will typically include various system daemons, network
daemons and network enabled applications.

Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being

The more general reference is https://fedoraproject.org/wiki/Packaging:Guidelines?rd=PackagingGuidelines#PIE , which (at least in my reading) already covers these cases.  The packages should just be fixed to comply.

(Perhaps the wording could be improved - right now the "Other packages may enable the flags at the maintainer's discretion." contradicts the criteria above it.)
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).

It's not only well-defined criteria (which we perhaps already have), but also easy-to-check criteria or ideally easy-to-automate criteria, so that this wouldn't require manual package maintainer decisions.  Does anyone have ideas how to design and implement such automatable criteria?

"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."

Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.

In other words, to enable PIE by default?

(For others - please read the FESCo ticket, it links to 2 papers measuring the performance impact, although they probably don't measure the case we are interested in, with PIE interacting with prelink - and they are all synthetic benchmarks, not measuring actual system performance in real-world use.)
The ~10% overhead on i686 makes this probably not worth it.

The ~3,6% overhead measured on x86_64 seems (with my little compiler background) rather high - what do the compiler developers think?  (Again, note that the data we have probably don't measure the relevant case.)

Looking at it from another angle, enabling PIE impacts only code in executables, not in libraries; how much of Fedora's CPU-intensive code actually resides in executables?  For image/video processing, I'd expect the vast majority of the "hot" code to actually reside in libraries and thus not be impacted by using PIE for executables; can anyone comment on how are preformance-relevant applications (e.g. httpd, Java runtimes or say Firefox) structured in this respect - or even better, measure it?