Re: Bits from dpkg developers - dpkg 1.16.1
On Wed, Sep 28, 2011 at 10:52:15PM +0300, Riku Voipio wrote:
> On Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook wrote:
> > Just to be explicit, PIE tends to have small (<1%) performance hits on
> > register-starved architectures (i386) in most cases, for for certain work
> > loads (e.g. python) the hit is large (~15%). On architectures with plenty
> > of registers (amd64) there's virtually no measurable performance hit that
> > I've seen.
>
> > If your package handles 3rd party data of any kind (renders, network
> > daemons, file parsers, etc), I strongly recommend enabling PIE.
>
> However, on 32bit architectures address space randomizing (which is why
> people try sell PIE as a security feature) does not add much security.
>
> http://benpfaff.org/papers/asrandom.pdf
This paper does a great job demonstrating why ASLR is only a statistical
protection. (And that on small address space systems, the protection is
more limited.) This does not, however, detract from the fact that it's still
another layer that needs to be bypassed by an attacker. The effects of the
bypass attempt also change based on the environment. Is it the kernel
itself? Frequently you can't just try again since the machine will have
fallen over. Attacking a respawning daemon? Suddenly the attack shows up as
a spike in respawns, etc.
No security protection is a silver bullet, and ASLR is no different. That
said, weighing the potential benefit (which is non-zero) against possible
performance impacts is up to the maintainer. I would opt for adding a
protection in almost all cases. I'd like to see PIE enabled for all amd64
builds, but one step at a time. :)
-Kees
--
Kees Cook @debian.org
Reply to: