On 03/29/2013, Reindl Harald wrote:
> -fPIE code is larger and takes longer to execute. The cost
> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on
i686 becomes more or less dead
there could be made a difference in SPEC-files to in border
cases only harden the x86_64 binaries because in context
of servers i686 is already dead except legacy systems which
are not relevant for recent fedora versions
The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
which run a 64-bit kernel. The same amount of physical RAM can support several
percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text,
pointers, and longs are larger. Only a few applications need a 64-bit address space.
It will be many years before i686 user mode dies.
* please do not argue with "but you need this and this AND
the expierience of the last years shows how creative attackers
are acting with RANDOM input data
I'm arguing the total expected benefit (integral over time of estimated
exposure times expected prevented loss) versus actual cost (more machines,
RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO
is worth it except for a process with elevated privilege or extended lifetime.
Please cite some documented cases where PIE and/or RELRO prevented or delayed
an actual loss, or signaled with sufficient warning to be useful. Meanwhile
I'm spending more each month to consume more resources because of PIE+RELRO.