Expanding the list of "Hardened Packages"

Miloslav Trmač mitr at volny.cz
Fri Mar 29 21:34:29 UTC 2013 

Hello,
On Fri, Mar 29, 2013 at 5:38 PM, Dhiru Kholia <dhiru.kholia at gmail.com>wrote:

> http://fedoraproject.org/wiki/Hardened_Packages page mentions
> that "FESCo requires some packages to use PIE and relro hardening by
> default."
>
> It would be great if this list could be expanded to include even more
> packages which are at comparatively more risk of being exploited (locally
> or remotely).
>
> Such packages will typically include various system daemons, network
> daemons and network enabled applications.
>
> Lot of network daemons are already using PIE and RELRO (e.g. httpd,
> MariaDB). So a natural question is why packages in same "network
> daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
> hardened?
>

The more general reference is
https://fedoraproject.org/wiki/Packaging:Guidelines?rd=PackagingGuidelines#PIE,
which (at least in my reading) already covers these cases.  The
packages
should just be fixed to comply.

(Perhaps the wording could be improved - right now the "Other packages may
enable the flags at the maintainer's discretion." contradicts the criteria
above it.)



> 1. Hardening flags should be turned on (by default) for all packages
> which are at comparatively more risk of being exploited or which meet
> some well-defined criteria (suggestions welcome).
>

It's not only well-defined criteria (which we perhaps already have), but
also easy-to-check criteria or ideally easy-to-automate criteria, so that
this wouldn't require manual package maintainer decisions.  Does anyone
have ideas how to design and implement such automatable criteria?


"Packaging Guidelines" say that "Other packages may enable the flags at
> the maintainer's discretion."
>
> Thinking from a security perspective, I find "Hardening flags can only
> be disabled for other packages at the maintainer's discretion provided
> enough justification is given to FESCo" to be more appropriate.
>

In other words, to enable PIE by default?

(For others - please read the FESCo ticket, it links to 2 papers measuring
the performance impact, although they probably don't measure the case we
are interested in, with PIE interacting with prelink - and they are all
synthetic benchmarks, not measuring actual system performance in real-world
use.)

The ~10% overhead on i686 makes this probably not worth it.

The ~3,6% overhead measured on x86_64 seems (with my little compiler
background) rather high - what do the compiler developers think?  (Again,
note that the data we have probably don't measure the relevant case.)


Looking at it from another angle, enabling PIE impacts only code in
executables, not in libraries; how much of Fedora's CPU-intensive code
actually resides in executables?  For image/video processing, I'd expect
the vast majority of the "hot" code to actually reside in libraries and
thus not be impacted by using PIE for executables; can anyone comment on
how are preformance-relevant applications (e.g. httpd, Java runtimes or say
Firefox) structured in this respect - or even better, measure it?
    Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130329/014f8c95/attachment.html>

More information about the devel mailing list