Expanding the list of "Hardened Packages"

[Reindl Harald]

Am 29.03.2013 23:07, schrieb John Reiser:
> On 03/29/2013, Reindl Harald wrote:
> 
>>> -fPIE code is larger and takes longer to execute.  The cost varies from
>>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
>>
>> i686 becomes more or less dead
>>
>> there could be made a difference in SPEC-files to in border
>> cases only harden the x86_64 binaries because in context
>> of servers i686 is already dead except legacy systems which
>> are not relevant for recent fedora versions
> 
> The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
> which run a 64-bit kernel.  The same amount of physical RAM can support several
> percent more simultaneous 32-bit user-mode processes before paging.  64-bit .text,
> pointers, and longs are larger.  Only a few applications need a 64-bit address space.
> It will be many years before i686 user mode dies.

the machines below are all installed 2008
this is five years ago

the machines did load-peaks only a few people saw in real-life
well many times and i rebuild ANY relevant package with PIE

last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM
plus a additional CPU and 60 GB RAM for the other host by a
price of around 8000 € and you will explain me that hacks like
PAE are growing?

[root at buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa | grep i686 | wc -l"

--------------------------------------------------------------------------

896
0

411
0

335
0

279
0

283
0

368
0

217
0

218
0

344
0

342
0

237
0

239
0

399
0

335
0

344
0

895
0

279
0

283
0

368
0

>> * please do not argue with "but you need this and this AND this"
>>   the expierience of the last years shows how creative attackers
>>   are acting with RANDOM input data
> 
> I'm arguing the total expected benefit (integral over time of estimated
> exposure times expected prevented loss) versus actual cost (more machines,
> RAM, heat, [avoided] latency).  I'm not convinced that PIE+RELRO
> is worth it except for a process with elevated privilege or extended lifetime.
> 
> Please cite some documented cases where PIE and/or RELRO prevented or delayed
> an actual loss, or signaled with sufficient warning to be useful.  Meanwhile
> I'm spending more each month to consume more resources because of PIE+RELRO

this is a naive approach
you CAN NOT measure a failed code-execution

you can only measure a successful intrusion and that only if you
take notice that it happened - looking in my firewall logs only
a few people out there are in the position having the knowledge
to notice intrusions on their machines

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130329/0472e86c/attachment.sig>