On 09/07/2013 05:11 PM, Ryan Hill wrote:
On Sat, 7 Sep 2013 18:10:42 +0000 (UTC)
Martin Vaeth <va...@mathematik.uni-wuerzburg.de> wrote:
Ryan Hill <dirtye...@gentoo.org> wrote:
* -fstack-protector{-all}
No thank you. -fstack-protector has very limited coverage
I'd say it covers most cases where bugs can be made,
practically without a severe impact on execution time or code size.
The numbers I've seen show a maximum of 5% coverage for code that has a large
number of functions containing char arrays on the stack. Most code doesn't fall
into that category. Coverage of perl was 0.5%, xorg 5%, kernel 3%. Those are
really old numbers though. The most recent I've seen is Chromium's coverage is
<2%. There is an upper bound of 8% performance overhead using -fstack-protector
according to the design spec. If you guys are okay with that then we can try
enabling it for 4.8.1.
* -Wl,-z,relro
Enabled by default since binutils 2.18
This gives its real impact on secutiry only when combined with
* -Wl,-z,now
The latter is not enabled by default AFAIK.
That's a bit misleading. Immediate binding does allow the GOT to be made
readonly but relro does a lot more than that. In any case this is a firm no.
The increase in loading times for apps that link lots of libraries is
significant (if it wasn't, we wouldn't need lazy loading :p). If you want full
relro, enable it yourself or use hardened.
I would like to suggest also another flag
* -Wl,-z,noexecstack
This should be the default, but e.g. some broken gcc versions
forgot this default when using -flto.
I am using this flag since I realized this -flto bug and never
had any problems with it.
Well, portage will already tell you if your package installed any binaries with
executable stacks and I don't see many of those warnings that aren't binary
packages so I think we're good.
* -Wl,--hash-style={both,gnu}
I don't know what this has to do with security.
I'm just responding to the list on the Ubuntu page.
However, isn't it time to use "gnu" now for all users? Except for
very strange binary-only code it should not cause any problems.
The majority of users would not realize a difference but profit
from smaller binaries.
Sure, but the sysv hash is teeny and backward compatibility is always nice if
it's next to free.
Here are some more resources if anyone is interested:
https://wiki.debian.org/Hardening
https://bugs.archlinux.org/task/18864
https://wiki.gentoo.org/wiki/Project:Hardened/GNU_stack_quickstart
http://tk-blog.blogspot.ca/2009/02/relro-not-so-well-known-memory.html
The hardened team has talked about this in IRC and our general feeling
is that adding *just* ssp to vanilla gcc specs is okay. While there are
some performance hits, it is generally safe and should cause little
problems to our users. The other hardened features, however, have more
of an impact and probably don't belong in vanilla as already discussed.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
