Hauke Mehrtens <ha...@hauke-m.de> writes: > On 2/13/19 11:51 PM, Felix Fietkau wrote: >> On 2019-02-13 23:15, Hauke Mehrtens wrote: >>> This will build all executable as Position Independent Executables (PIE) >>> by default. PIE executable can make full use of Address Space Layout >>> Randomization (ASLR) because all sections can be placed at random >>> offsets of the executed program. This makes it harder to exploit bugs >>> in our binaries. >>> >>> This will increase the size of executable, libraries are already build >>> position independent and their size will not change. >>> >>> This increases the size of the resulting images by about 3% on MIPS BE. >>> I tested this with the default configuration for the lantiq xrx200 >>> target. >>> >>> The size of the initramfs binaries increased by 2.88%: >>> Without PIE: >>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>> With PIE: >>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin >>> >>> With PIE activated the executable are getting bigger, here are some >>> examples from the lantiq mips_24kc target: >>> >>> Without PIE: >>> 112.309 /bin/opkg >>> 299.061 /bin/busybox >>> 456.549 /usr/sbin/wpad >>> >>> With PIE: >>> 142.496 /bin/opkg (26.87% increase) >>> 388.404 /bin/busybox (29.87% increase) >>> 580.128 /usr/sbin/wpad (27.06% increase) >>> >>> With PIE activated the sections of the binaries are loaded to >>> different offsets for each program instance like shown here: >>> >>> root@OpenWrt:/# cat /proc/self/maps >>> 555c4000-55622000 r-xp 00000000 00:02 1030 /bin/busybox >>> 55631000-55632000 r-xp 0005d000 00:02 1030 /bin/busybox >>> 55632000-55633000 rwxp 0005e000 00:02 1030 /bin/busybox >>> 55633000-55634000 rwxp 00000000 00:00 0 >>> 77ee2000-77f04000 r-xp 00000000 00:02 331 /lib/libgcc_s.so.1 >>> 77f04000-77f05000 r-xp 00012000 00:02 331 /lib/libgcc_s.so.1 >>> 77f05000-77f06000 rwxp 00013000 00:02 331 /lib/libgcc_s.so.1 >>> 77f06000-77f9a000 r-xp 00000000 00:02 329 /lib/libc.so >>> 77fa9000-77fab000 rwxp 00093000 00:02 329 /lib/libc.so >>> 77fab000-77fad000 rwxp 00000000 00:00 0 >>> 7fb26000-7fb47000 rw-p 00000000 00:00 0 [stack] >>> 7fefb000-7fefc000 r-xp 00000000 00:00 0 >>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0 [vvar] >>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0 [vdso] >>> root@OpenWrt:/# cat /proc/self/maps >>> 5561d000-5567b000 r-xp 00000000 00:02 1030 /bin/busybox >>> 5568a000-5568b000 r-xp 0005d000 00:02 1030 /bin/busybox >>> 5568b000-5568c000 rwxp 0005e000 00:02 1030 /bin/busybox >>> 5568c000-5568d000 rwxp 00000000 00:00 0 >>> 77e8e000-77eb0000 r-xp 00000000 00:02 331 /lib/libgcc_s.so.1 >>> 77eb0000-77eb1000 r-xp 00012000 00:02 331 /lib/libgcc_s.so.1 >>> 77eb1000-77eb2000 rwxp 00013000 00:02 331 /lib/libgcc_s.so.1 >>> 77eb2000-77f46000 r-xp 00000000 00:02 329 /lib/libc.so >>> 77f55000-77f57000 rwxp 00093000 00:02 329 /lib/libc.so >>> 77f57000-77f59000 rwxp 00000000 00:00 0 >>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0 [stack] >>> 7fefb000-7fefc000 r-xp 00000000 00:00 0 >>> 7ff60000-7ff61000 r--p 00000000 00:00 0 [vvar] >>> 7ff61000-7ff62000 r-xp 00000000 00:00 0 [vdso] >>> root@OpenWrt:/# >>> >>> Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de> >>> --- >>> >>> I would like to get some comments if we should activate PIE by default. >>> The advantage is that it will be harder to exploit OpenWrt, but on the >>> other hand the binaries are getting bigger. We could also restrict this >>> to some CPU types, but as targets share the binaries it is not really >>> possible to do this based on the target. >>> >>> I am not sure if this should go into the next release or wait for later. >>> >>> This could also break some packages, as it is possible to activate PIE >>> by default for some time many bugs are already fixed, but probably not >>> all of them. >> I think this is a lot of extra bloat. Maybe we can add a restricted PIE >> mode where packages can opt-in individually? > > So we should probably make it a chose with 3 options: > 1. No PIE > 2. Use PIE for exposed binaries > 3. Use PIE for all binaries
I hate that we have to make choices like this for space reasons. Option 2 will help but means attackers will try to go after something else. By exposed, you mean "on the network", I guess? > > Then we need something in addition to the existing PKG_ASLR_PIE we > already have to deactivate it. > > Do we want a generic name like this: > PKG_CRITICAL > or something specific to PIE: > PKG_ASLR_PIE_PREFERED > > Hauke > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel