[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from dpkg developers - dpkg 1.16.1

On Fri, Sep 23, 2011 at 08:17:54AM +0200, Raphael Hertzog wrote:
>   Two hardening features are not enabled by default: PIE and bindnow.
>   If your package supports PIE, you might want to consider enabling it.
>   If the binaries are long running processes like daemons, and as such
>   the startup performance penalty of “bindnow” is acceptable, it might
>   be a good idea to enable it too but only if relro is in effect,
>   although another option might be to just define LD_BIND_NOW=1 on the
>   daemon's environment (for example in the init.d script), in which case
>   the sysadmin can always disable it, something that's not possible with
>   the build option.

Just to be explicit, PIE tends to have small (<1%) performance hits on
register-starved architectures (i386) in most cases, for for certain work
loads (e.g. python) the hit is large (~15%). On architectures with plenty
of registers (amd64) there's virtually no measurable performance hit that
I've seen.

If your package handles 3rd party data of any kind (renders, network
daemons, file parsers, etc), I strongly recommend enabling PIE.

And, if you enable PIE, please enable bindnow too. The start-up
performance hit of bindnow isn't measurable on most architectures. Some
much slower ones can see problems (early ARM).

It's possible that PIE and/or bindnow may be enabled by default for certain
architectures in the future.

If your package is using hardening-wrapper or hardening-includes, you were
effectively using "+pie,+bindnow", so when converting, please continue to
build with PIE and bindnow. :)



Kees Cook                                            @debian.org

Reply to: