Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Do not blindly enable PIE (http://www.linux-archive.org/debian-development/590168-do-not-blindly-enable-pie.html)

Matthias Klose 10-22-2011 09:46 PM

Do not blindly enable PIE
 
> Two hardening features are not enabled by default: PIE and bindnow.
> If your package supports PIE, you might want to consider enabling it.

You should not blindly enable PIE, even if the package seems to support it. PIE
can have runtime performance impacts up to 25% for some binaries on some
architectures, so a package developer really should test builds, not just on
ix86 architectures before enabling such a feature.

I don't see that PIE is even recommended by the hardening team for general
usage, so I don't know why the dpkg developers make such a recommendation at
all. At least some members of the hardening team do know about these
regressions, but I can't see these documented in some place. Having some
security features enabled by default does have its merits, but if it comes with
a price like that, it should be limited to chosen packages and architectures,
not enabled by default.

Matthias

Michael Gilbert 10-22-2011 10:18 PM

Do not blindly enable PIE
 
On Sat, Oct 22, 2011 at 5:46 PM, Matthias Klose wrote:
>> * Two hardening features are not enabled by default: PIE and bindnow.
>> * If your package supports PIE, you might want to consider enabling it.
>
> You should not blindly enable PIE, even if the package seems to support it. *PIE
> can have runtime performance impacts up to 25% for some binaries on some
> architectures, so a package developer really should test builds, not just on
> ix86 architectures before enabling such a feature.
>
> I don't see that PIE is even recommended by the hardening team for general
> usage, so I don't know why the dpkg developers make such a recommendation at
> all. *At least some members of the hardening team do know about these
> regressions, but I can't see these documented in some place. *Having some
> security features enabled by default does have its merits, but if it comes with
> a price like that, it should be limited to chosen packages and architectures,
> not enabled by default.

25% is a worst-case result seen in very few packages (I think that
comes from a python unit test?). Better to let maintainers make their
own choices, and have the option to revert it if user's really
complain. Anyway, the real reason not to enable PIE yet is that there
are currently some issues that GDB has with PIE executables.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CANTw=MOc1sM-j0M54mpmdijE2wU6B37qcV7pepykYtHYTmtmdA@mail.gmail. com">http://lists.debian.org/CANTw=MOc1sM-j0M54mpmdijE2wU6B37qcV7pepykYtHYTmtmdA@mail.gmail. com


All times are GMT. The time now is 03:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.