Expanding the list of "Hardened Packages"
John Reiser
jreiser at bitwagon.com
Fri Mar 29 17:48:00 UTC 2013
On 03/29/2013 09:38 AM, Dhiru Kholia wrote:
> Lot of network daemons are already using PIE and RELRO (e.g. httpd,
> MariaDB). So a natural question is why packages in same "network
> daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
> hardened?
> Some of the ways to implement this proposal are,
>
> 1. Hardening flags should be turned on (by default) for all packages
> which are at comparatively more risk of being exploited or which meet
> some well-defined criteria (suggestions welcome).
>
> "Packaging Guidelines" say that "Other packages may enable the flags at
> the maintainer's discretion."
>
> Thinking from a security perspective, I find "Hardening flags can only
> be disabled for other packages at the maintainer's discretion provided
> enough justification is given to FESCo" to be more appropriate.
-fPIE code is larger and takes longer to execute. The cost varies from
minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686.
-fPIE for Thumb mode on ARM is particularly painful.
RELRO can cost one extra page of physical RAM per process because the placement
of the RELRO region tends to increase fragmentation and decrease sharability.
I suggest that any requirement for increased hardening be restricted to only
those programs which execute with elevated privileges. The package maintainer
should retain primary discretion for anything which executes with "ordinary"
user privileges.
--
More information about the devel
mailing list