PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Cc: debian-policy@lists.debian.org
Subject: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sun, 15 May 2016 20:13:19 +0200
Message-id: <[🔎] CAK0Odpw3LjhZdAqOBvo91Vv5O4DzpzR23_zHxLYdux5OvNGRXw@mail.gmail.com>
Reply-to: balint@balintreczey.hu

Hi,

2016-05-15 4:11 GMT+02:00 Dimitri John Ledkov <xnox@debian.org>:
> On 14 May 2016 at 21:12, Niels Thykier <niels@thykier.net> wrote:
>> Marco d'Itri:
>>> On May 03, Josh Triplett <josh@joshtriplett.org> wrote:
>>>
>>>> While this doesn't make PIC absolutely free, it does eliminate almost
>>>> all of the cost, to the point that it no longer seems worthwhile to
>>>> build without -fPIC.  Apart from that, building *all* code with -fPIC
>>>> (including both programs and libraries) helps with hardening.
>>> I think that this is worth exploring.
>>> Did you check what other (relevant) distributions are doing?
>>>
>>
>> Fedora seems to be doing -fPIE by default for executables[1] - targeting
>> Fedora 23.  Known issues they ran into can be found at [2].
>>   I also found the following PPA [3]. Cannot say if it is official or
>> just a personal interest from the PPA owner.
>>
>
> Ubuntu 16.04 LTS on s390x has -fPIE and bind now
>
> Ubuntu 16.10 on amd64, ppc64el, s390x has -fPIE and bind now

I think making PIE and bindnow default in dpkg (at least for amd64) would be
perfect release goals for Stretch.

This would make Debian on par with Fedora and Ubuntu in that regard.

We briefly discussed that with Guillem in a related bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42

I think the next step could be an archive rebuild with the changed defaults
if we would like to pursue this:
https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F

I planned starting a discussion on debian-devel about PIE + bindnow,
too, after checking
all the packages which contain statically compiled binaries because
they may need patching
to disable PIE flags based on Lunar's post:
https://people.debian.org/~lunar/blog/posts/aslr_now/

Cheers,
Balint

>
> In general features like these for Ubuntu are tracked by Security team at:
>
> https://wiki.ubuntu.com/Security/Features
>
> And bind-now needs fixing on that page.
>
> --
> Regards,
>
> Dimitri.
>

Reply to:

Follow-Ups:
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: Time to reevaluate the cost of -fPIC?
Next by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Previous by thread: Processed: submitter 649530
Next by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Index(es):
- Date
- Thread