F22 System Wide Change: Harden all packages with position-independent code

Thu Jan 8 10:09:23 UTC 2015

On Wed, 7 Jan 2015, Till Maas wrote:

> On Wed, Jan 07, 2015 at 08:30:03AM -0500, Josh Boyer wrote:
>
> > We just went over something very much like this for x86_64 packages
> > with FESCo ticket 1113:
> >
> > https://fedorahosted.org/fesco/ticket/1113
> >
> > Could you perhaps review that and elaborate on the differences between
> > that proposal and this one if there are any?  Additionally, could you
> > cover any of the concerns listed there that apply to this proposal?
>
> I proposed to make it the default for all archs and not only x86_64.
> From what I understand, the only reason it was not accepted is because
> it was felt that the performance penalty is not worth the security gains
> from this. I do not have objective numbers about how many exploits
> that happened could be prevented with PIE and how many effort it took to
> clean up after exploits compared to how much the performance penalty for
> PIE costs. However, the experts that I talked about this think the
> protection is worth it. I was also told that there were exploits where
> PIE helped to mitigate them. Nevertheless, nevertheless, thank you for
> the ticket link, it contains a lot of interesting information. However
> it is said that even though the packaging guidelines were mentioned
> there, they were kept in an unclear/contradictory state. But this is
> also a new data point, even though it was highlighted more 20 months ago
> to FeSCo, there are still a lot of packages violating the Guideline,
> which shows that the current process does not really work. And if PIE is
> not really considered to worth it, the guidelines should be adjusted to
> reflect this. Currently it does not seem to be the case that most/all
> packages that should be using PIE do not use it because maintainer
> actively decided against it, but just because it is not the default. The
> criteria for this is:
>
> |     Your package accepts/processes untrusted input.
>
> This seems to be about every package that I use, because I most if not
> all tools process untrusted data from the Internet.

+1. This view is rapidly gaining traction and visibility in recent times.

...

Here are some more facts to support PIE (from https://github.com/kholia/PIE-stuff)

iOS 4.3 or later, and OS X 10.7 or later, fully support PIE executables;
moreover, applications submitted for distribution via Apple's App Store
are required to be fully position-independent.

Starting with Android 4.1, Google is forcing "full ASLR" (PIE) to
overcome common security exploits.

In OpenBSD, the amd64 and other platforms have been switched to PIE
(position-independent executables) by default.

Google Chrome and Opera binaries for Linux are already PIE. Firefox
folks are already looking at support and / or enabling PIE.

Isn't browser the place where your "primary computation" (aka FB) now
happens? ;)

The original GitHub repository should have more information, references,
and some tools.

In short, PIE is compulsorily required on mobile phones, which are
limited CPU and battery wise. If the mobile vendors can afford to enable
PIE (by default) on their "consumer-grade" products, I believe that we
can do a bit better (on AMD64 servers).

I am currently lacking free time (and energy) to drive the original
FESCo proposal forward. It's awesome to see other folks driving this
now. Thanks guys!

Dhiru