On Wed, Sep 07, 2011 at 11:55:19AM +0200, Raphael Hertzog wrote: > On Wed, 07 Sep 2011, Raphael Hertzog wrote: > > I'll also try to push today or tomorrow the code enabling hardening > > build flags as Kees sent me his documentation patch. > > Here's what I'm going to push in case anyone feels like reviewing it > quickly (I'm waiting some final feedback from Kees).
Looks good, with a small change below. (Did I miss an email? What final feedback was wanted?) > diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1 > index b8dcd43..74bddad 100644 > --- a/man/dpkg-buildflags.1 > +++ b/man/dpkg-buildflags.1 ... > +gain ASLR. When this happens, ROP (Return Oriented Programming) attacks > +are much harder since there are no static locations to bounce off of > +during a memory corruption attack. > +.TP > +.PP > +This is not compatible with \fB-fPIC\fP so care must be taken when > +building shared objects. > +.TP > +.PP These TP/PP's should probably just be a blank line? My attempts at an indented paragraph break don't actually seem to work right. > +Additionally, since PIE is implemented via a general register, some > +architectures (most notably i386) can see performance losses of up to > +15% in very text-segment-heavy application workloads; most workloads Thanks! -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
