On 10/28/19 10:14 AM, Daniel Engberg wrote: > On 2019-10-27 18:44, Hauke Mehrtens wrote: >> This is a follow up patch on this discussion on the mailing list: >> https://patchwork.ozlabs.org/patch/1041647/ >> >> This allows to activate PIE only for some packages where we thing it is >> necessary and not only globally for all of them. >> >> Hauke Mehrtens (6): >> buildsystem: Make PIE ASLR option tristate >> dnsmasq: Activate PIE by default >> dropbear: Activate PIE by default >> hostapd: Activate PIE by default >> uhttpd: Activate PIE by default >> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers >> >> config/Config-build.in | 22 ++++++++++++++++---- >> include/hardening.mk | 9 +++++++- >> package/kernel/lantiq/ltq-adsl/Makefile | 1 - >> package/kernel/lantiq/ltq-ifxos/Makefile | 1 - >> package/kernel/lantiq/ltq-tapi/Makefile | 1 - >> package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 -- >> package/kernel/lantiq/ltq-vdsl/Makefile | 1 - >> package/kernel/lantiq/ltq-vmmc/Makefile | 1 - >> package/network/config/ltq-vdsl-app/Makefile | 1 - >> package/network/services/dnsmasq/Makefile | 1 + >> package/network/services/dropbear/Makefile | 1 + >> package/network/services/hostapd/Makefile | 1 + >> package/network/services/uhttpd/Makefile | 1 + >> 13 files changed, 30 insertions(+), 13 deletions(-) > > I think ASLRs value needs to be evaluated especially due to the > performance penalty (hostapd mainly in that regard) and not to forget > size increase depending on for how long OpenWrt intends to keep 8Mbyte > devices around as 4Mbyte devices are more or less unsupported by now. > It's probably a better idea to only enable it on aarch64 and x86-64 > where size isn't as much of a concern and where it probably(?) receives > most exposure to avoid uncessary breakage. > > http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html > https://svnweb.freebsd.org/base?view=revision&revision=343964 > Might also be worth taking into consideration. > > Best regards, > Daniel
Yes ASLR is not preventing any exploits it just makes it harder for an attacker like most other mechanisms too. Especially on 32 bit platforms like MIPS 32 bit and ARM 32 bit we only use 8 bit of the address for ASLR, on 64 bit platforms this feature is a lot more useful as we have a lot more bits. I am wondering why the kernel takes CONFIG_ARCH_MMAP_RND_BITS_MIN as the default for CONFIG_ARCH_MMAP_RND_BITS and not the max value, on MIPS 32 bit min is 8 bits and max is 16 bit. https://elixir.bootlin.com/linux/v4.19.79/source/arch/Kconfig#L598 Do you know any benchmark results measuring the performance penalty of ASLR and PIE? Hauke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
