Re: Do not blindly enable PIE [was: Bits from dpkg developers - dpkg 1.16.1]

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Sat, Oct 22, 2011 at 5:46 PM, Matthias Klose wrote:
>>   Two hardening features are not enabled by default: PIE and bindnow.
>>   If your package supports PIE, you might want to consider enabling it.
>
> You should not blindly enable PIE, even if the package seems to support it.  PIE
> can have runtime performance impacts up to 25% for some binaries on some
> architectures, so a package developer really should test builds, not just on
> ix86 architectures before enabling such a feature.
>
> I don't see that PIE is even recommended by the hardening team for general
> usage, so I don't know why the dpkg developers make such a recommendation at
> all.  At least some members of the hardening team do know about these
> regressions, but I can't see these documented in some place.  Having some
> security features enabled by default does have its merits, but if it comes with
> a price like that, it should be limited to chosen packages and architectures,
> not enabled by default.

25% is a worst-case result seen in very few packages (I think that
comes from a python unit test?).  Better to let maintainers make their
own choices, and have the option to revert it if user's really
complain.  Anyway, the real reason not to enable PIE yet is that there
are currently some issues that GDB has with PIE executables.

Best wishes,
Mike