Expanding the list of "Hardened Packages"

[John Reiser]

On 03/29/2013, Reindl Harald wrote:

>> -fPIE code is larger and takes longer to execute.  The cost varies from
>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
> 
> i686 becomes more or less dead
> 
> there could be made a difference in SPEC-files to in border
> cases only harden the x86_64 binaries because in context
> of servers i686 is already dead except legacy systems which
> are not relevant for recent fedora versions

The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
which run a 64-bit kernel.  The same amount of physical RAM can support several
percent more simultaneous 32-bit user-mode processes before paging.  64-bit .text,
pointers, and longs are larger.  Only a few applications need a 64-bit address space.
It will be many years before i686 user mode dies.

[snip]
> * please do not argue with "but you need this and this AND this"
>   the expierience of the last years shows how creative attackers
>   are acting with RANDOM input data

I'm arguing the total expected benefit (integral over time of estimated
exposure times expected prevented loss) versus actual cost (more machines,
RAM, heat, [avoided] latency).  I'm not convinced that PIE+RELRO
is worth it except for a process with elevated privilege or extended lifetime.

Please cite some documented cases where PIE and/or RELRO prevented or delayed
an actual loss, or signaled with sufficient warning to be useful.  Meanwhile
I'm spending more each month to consume more resources because of PIE+RELRO.

--