Expanding the list of "Hardened Packages"

Reindl Harald h.reindl at thelounge.net
Fri Mar 29 18:02:58 UTC 2013 

CC to the users list because this is a interesting topic at all

Am 29.03.2013 18:48, schrieb John Reiser:
>> Thinking from a security perspective, I find "Hardening flags can only
>> be disabled for other packages at the maintainer's discretion provided
>> enough justification is given to FESCo" to be more appropriate.
> 
> -fPIE code is larger and takes longer to execute.  The cost varies from
> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686

i686 becomes more or less dead

there could be made a difference in SPEC-files to in border
cases only harden the x86_64 binaries because in context
of servers i686 is already dead except legacy systems which
are not relevant for recent fedora versions

> -fPIE for Thumb mode on ARM is particularly painful.
> 
> RELRO can cost one extra page of physical RAM per process because the placement
> of the RELRO region tends to increase fragmentation and decrease sharability.
> 
> I suggest that any requirement for increased hardening be restricted to only
> those programs which execute with elevated privileges.  The package maintainer
> should retain primary discretion for anything which executes with "ordinary"
> user privileges

wrong point of view

the question is what data a binary is supposed to get as input
the "ordinary users privileges" doe snot help you much in case
of local root exploits and keep also in mind that in context of
network-serrvices or software which typically communicates
with foreign network-services a "local exploit" very fast
becomes a "remote exploit"

example:
* foreign user uploads images / pdf-files to a web-form
* on the server side imagemagick or poppler libs proceed the data
* if these libraries are vulerable by the input file and at the
  same moment a local root exploit is not fixed on the machine
  you are very soon in the situation of a root-exploit
* please do not argue with "but you need this and this AND this"
  the expierience of the last years shows how creative attackers
  are acting with RANDOM input data

yes performance matters

yes i am the first who likes optimized binaries
but NOT for the price of weaker security

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130329/01109b6e/attachment.sig>

More information about the users mailing list