On 7/18/11 10:26 PM, Gábor Lénárt wrote: >> PIC-related slowdown is about 5% (or less) on x86 on my test >> including both multimedia and crypto operations. > And if I compile it "by hand" anyway, it can be > called nice to eliminate this, even if it only gives 5% or even just > 0.1% :)
There is a 'performance' vs. 'security' trade-off here. PIC/PIE compiling has been introduced for a reason, it usually increases the resilience against the damage done by certain attacks on security vulnerabilities in code: > PIE stands for 'Position Independent Executable' and describes a > function where the operating system can load certain parts of the > application at random positions inside the computers address space. > In some attacks the attacker needs to know beforehand on which memory > location a datastructure will be loaded (e.g. to jump into code that > has been written using a buffer overflow). By having the operating > system load the program code into different locations every time, the > attacker cannot predict the memory location, which makes it harder to > write a successful exploit. http://blog.atariwiki.strotmann.de/roller/dnsworkshop/date/20110703 If you run Unbound in an untrusted network (e.g. Internet), having Unbound PIC/PIE compiled might be a good idea from a security point of view. -- Carsten _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
