Hello Matthias,
We are currently setting -z now for slowdebug builds. That should be
removed if it's now set by default for all configs.
/Erik
On 2020-04-01 06:35, Baesken, Matthias wrote:
Hello, please review this binary hardening related change.
To improve binary hardening, we should enable full relro in the OpenJDK builds.
Currently
our build settings enable only partial relro (they miss z,now).
See
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
"Both partial and full RELRO reorder the ELF internal data sections to protect
them from being overwritten in the event of a buffer-overflow,
but only full RELRO mitigates the above mentioned popular technique of overwriting
the GOT entry to get control of program execution."
See also :
https://wiki.debian.org/Hardening
Some documentations/blogs mention slight performance impact of full relro (for
startup performance) .
My quick checks on an example Linux server show not much impact (checked on
linux x86_64) .
1)time on a java HelloWorld varies (for both a patched and unpatched
JDK) between 0,6 and 0,7 seconds ;
2) perf - runs on a java HelloWorld show a bit less cycles (not clear why)
but more instructions :
"normal JVM" :
185,085,660 cycles # 2.424 GHz
( +- 0.54% ) (83.18%)
128,415,594 stalled-cycles-frontend # 69.38% frontend cycles
idle ( +- 0.80% ) (80.98%)
84,990,433 stalled-cycles-backend # 45.92% backend cycles
idle ( +- 1.78% ) (65.38%)
102,950,894 instructions # 0.56 insns per cycle
# 1.25 stalled cycles
per insn ( +- 1.48% ) (86.90%)
Changed JVM with z,now set :
182,514,813 cycles # 2.394 GHz
( +- 0.58% ) (80.14%)
126,879,112 stalled-cycles-frontend # 69.52% frontend cycles
idle ( +- 0.81% ) (81.24%)
82,691,295 stalled-cycles-backend # 45.31% backend cycles
idle ( +- 1.72% ) (69.16%)
103,958,399 instructions # 0.57 insns per cycle
# 1.22 stalled cycles
per insn ( +- 1.21% ) (89.47%)
Bug/webrev :
https://bugs.openjdk.java.net/browse/JDK-8241996
http://cr.openjdk.java.net/~mbaesken/webrevs/8241996.0/
Best regards, Matthias
