Expanding the list of "Hardened Packages"
John Reiser
jreiser at bitwagon.com
Fri Mar 29 22:07:28 UTC 2013
On 03/29/2013, Reindl Harald wrote:
>> -fPIE code is larger and takes longer to execute. The cost varies from
>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
>
> i686 becomes more or less dead
>
> there could be made a difference in SPEC-files to in border
> cases only harden the x86_64 binaries because in context
> of servers i686 is already dead except legacy systems which
> are not relevant for recent fedora versions
The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
which run a 64-bit kernel. The same amount of physical RAM can support several
percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text,
pointers, and longs are larger. Only a few applications need a 64-bit address space.
It will be many years before i686 user mode dies.
[snip]
> * please do not argue with "but you need this and this AND this"
> the expierience of the last years shows how creative attackers
> are acting with RANDOM input data
I'm arguing the total expected benefit (integral over time of estimated
exposure times expected prevented loss) versus actual cost (more machines,
RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO
is worth it except for a process with elevated privilege or extended lifetime.
Please cite some documented cases where PIE and/or RELRO prevented or delayed
an actual loss, or signaled with sufficient warning to be useful. Meanwhile
I'm spending more each month to consume more resources because of PIE+RELRO.
--
More information about the devel
mailing list