[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardening patch

On Wed, Sep 07, 2011 at 11:55:19AM +0200, Raphael Hertzog wrote:
> On Wed, 07 Sep 2011, Raphael Hertzog wrote:
> > I'll also try to push today or tomorrow the code enabling hardening
> > build flags as Kees sent me his documentation patch.
> Here's what I'm going to push in case anyone feels like reviewing it
> quickly (I'm waiting some final feedback from Kees).

Looks good, with a small change below. (Did I miss an email? What final
feedback was wanted?)

> diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
> index b8dcd43..74bddad 100644
> --- a/man/dpkg-buildflags.1
> +++ b/man/dpkg-buildflags.1
> +gain ASLR. When this happens, ROP (Return Oriented Programming) attacks
> +are much harder since there are no static locations to bounce off of
> +during a memory corruption attack.
> +.TP
> +.PP
> +This is not compatible with \fB-fPIC\fP so care must be taken when
> +building shared objects.
> +.TP
> +.PP

These TP/PP's should probably just be a blank line? My attempts at an
indented paragraph break don't actually seem to work right.

> +Additionally, since PIE is implemented via a general register, some
> +architectures (most notably i386) can see performance losses of up to
> +15% in very text-segment-heavy application workloads; most workloads



Kees Cook                                            @debian.org

Reply to: