Re: Hardening patch
On Wed, Sep 07, 2011 at 11:55:19AM +0200, Raphael Hertzog wrote:
> On Wed, 07 Sep 2011, Raphael Hertzog wrote:
> > I'll also try to push today or tomorrow the code enabling hardening
> > build flags as Kees sent me his documentation patch.
> Here's what I'm going to push in case anyone feels like reviewing it
> quickly (I'm waiting some final feedback from Kees).
Looks good, with a small change below. (Did I miss an email? What final
feedback was wanted?)
> diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
> index b8dcd43..74bddad 100644
> --- a/man/dpkg-buildflags.1
> +++ b/man/dpkg-buildflags.1
> +gain ASLR. When this happens, ROP (Return Oriented Programming) attacks
> +are much harder since there are no static locations to bounce off of
> +during a memory corruption attack.
> +This is not compatible with \fB-fPIC\fP so care must be taken when
> +building shared objects.
These TP/PP's should probably just be a blank line? My attempts at an
indented paragraph break don't actually seem to work right.
> +Additionally, since PIE is implemented via a general register, some
> +architectures (most notably i386) can see performance losses of up to
> +15% in very text-segment-heavy application workloads; most workloads
Kees Cook @debian.org