Expanding the list of "Hardened Packages"
Reindl Harald
h.reindl at thelounge.net
Fri Mar 29 22:20:25 UTC 2013
Am 29.03.2013 23:07, schrieb John Reiser:
> On 03/29/2013, Reindl Harald wrote:
>
>>> -fPIE code is larger and takes longer to execute. The cost varies from
>>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
>>
>> i686 becomes more or less dead
>>
>> there could be made a difference in SPEC-files to in border
>> cases only harden the x86_64 binaries because in context
>> of servers i686 is already dead except legacy systems which
>> are not relevant for recent fedora versions
>
> The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
> which run a 64-bit kernel. The same amount of physical RAM can support several
> percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text,
> pointers, and longs are larger. Only a few applications need a 64-bit address space.
> It will be many years before i686 user mode dies.
the machines below are all installed 2008
this is five years ago
the machines did load-peaks only a few people saw in real-life
well many times and i rebuild ANY relevant package with PIE
last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM
plus a additional CPU and 60 GB RAM for the other host by a
price of around 8000 € and you will explain me that hacks like
PAE are growing?
[root at buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa | grep i686 | wc -l"
--------------------------------------------------------------------------
896
0
411
0
335
0
279
0
283
0
368
0
217
0
218
0
344
0
342
0
237
0
239
0
399
0
335
0
344
0
895
0
279
0
283
0
368
0
>> * please do not argue with "but you need this and this AND this"
>> the expierience of the last years shows how creative attackers
>> are acting with RANDOM input data
>
> I'm arguing the total expected benefit (integral over time of estimated
> exposure times expected prevented loss) versus actual cost (more machines,
> RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO
> is worth it except for a process with elevated privilege or extended lifetime.
>
> Please cite some documented cases where PIE and/or RELRO prevented or delayed
> an actual loss, or signaled with sufficient warning to be useful. Meanwhile
> I'm spending more each month to consume more resources because of PIE+RELRO
this is a naive approach
you CAN NOT measure a failed code-execution
you can only measure a successful intrusion and that only if you
take notice that it happened - looking in my firewall logs only
a few people out there are in the position having the knowledge
to notice intrusions on their machines
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130329/0472e86c/attachment.sig>
More information about the devel
mailing list