Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]

To: debian-devel-announce@lists.debian.org
Subject: Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]
From: Matthias Klose <doko@debian.org>
Date: Sat, 22 Oct 2011 23:46:19 +0200
Message-id: <[🔎] 4EA339AB.9010705@debian.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <20110923061754.GA11781@rivendell.home.ouaza.com>
References: <20110923061754.GA11781@rivendell.home.ouaza.com>

>   Two hardening features are not enabled by default: PIE and bindnow.
>   If your package supports PIE, you might want to consider enabling it.

You should not blindly enable PIE, even if the package seems to support it.  PIE
can have runtime performance impacts up to 25% for some binaries on some
architectures, so a package developer really should test builds, not just on
ix86 architectures before enabling such a feature.

I don't see that PIE is even recommended by the hardening team for general
usage, so I don't know why the dpkg developers make such a recommendation at
all.  At least some members of the hardening team do know about these
regressions, but I can't see these documented in some place.  Having some
security features enabled by default does have its merits, but if it comes with
a price like that, it should be limited to chosen packages and architectures,
not enabled by default.

  Matthias

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Bug#646255: ITP: gnome-online-accounts -- GNOME Online Accounts
Next by Date: Re: Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]
Previous by thread: Bug#646255: ITP: gnome-online-accounts -- GNOME Online Accounts
Next by thread: Re: Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]
Index(es):
- Date
- Thread