Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 11 Feb 2014 16:37:21 -0500
From: "CERT(R) Coordination Center" <cert@...t.org>
To: oss-security@...ts.openwall.com
CC: "CERT(R) Coordination Center" <cert@...t.org>
Subject: Vendor adoption of PIE INFO#934476 oss-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

We had originally notified Linux vendors individually through our
normal channels, but it has come to our attention that this could
perhaps be a better forum to have a discussion about the topic.

We recently published a blog post about the state of ASLR/PIE on Linux
compared to how it is on Windows:
<https://www.cert.org/blogs/certcc/post.cfm?EntryID=191>

tl;dr: On x86 Linux, there's a significant performance impact to PIE,
however on the x86_64 platform it's not so clear whether the
performance impact is significant enough to stop widespread use of
PIE.

This is where we are looking for input from the Linux vendors.  It has
been reported <http://nebelwelt.net/publications/12TRpie/gccPIE-TR120614.pdf>:
2.4 PIE and x64
<snip>  
... "A quick evaluation for x64 reports an average overhead of 3.61%
and a geometric mean of 2.34% for an -O3 optimization level on the
same system using the "test" dataset of SPEC CPU2006."

For those environments that put a high value on security, it would
seem that a 2-3% overhead might be acceptable.  Though being a
compile-time option, it would seem that the "faster" vs. "more secure"
decision would need to be made ahead of time by the vendor.  And
obviously, one size does not fit all.

Thoughts?  What is stopping you from enabling PIE for everything, at
least on the x86_64 platform?


Thank you,
   Will Dormann

=============================
Vulnerability Analyst
CERT Coordination Center
4500 Fifth Ave.
Pittsburgh, PA 15213
1-412-268-7090
=============================


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUvqa/0FiFe3xVPtiAQKUWggAkQwJLYVuQAS0AWJzTLQzdIswqdsujP5C
oqrF9N+aNWv1PNRjHbHBbGT5eDhepjkau9z90KHhHhYke5X17V47aEFb7HV5M3xN
2KmJkOAYr870S1xD1swL80lryc0w3QqHuCHDfoJ5n316zx87wk/wVF0uYUwtufVY
qeBv8ZXAlfX1hjEat5yRutEb+/ryNr6uzQkLgW9bzZcVsndDLDxzpqxO1k+Rv6mp
X/12Vi0bE2/tZUv7MIaXzG5bpqU1wWqHXXzqzvdYVY4R6tUdvRTCPM6qjHdm63nE
eEHFRj426tGNAnZtKMBzW52Mtloc2IFRTO6guvSBcn+ueLFZYVmXow==
=SNne
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.