Date: Sun, 16 Feb 2014 11:01:41 -0500 From: christos@...las.com (Christos Zoulas) To: oss-security@...ts.openwall.com Subject: Re: Vendor adoption of PIE INFO#934476 oss-security On Feb 16, 2:28pm, stu@...cehopper.org (Stuart Henderson) wrote: -- Subject: Re: [oss-security] Vendor adoption of PIE INFO#934476 oss-securit | By the way, OpenBSD has switched compilers to generating PIE code by | default on the majority of architectures, various arch's over the last | couple of releases, but as of a couple of months ago we've also done | this for i386 (x86) too, so I can give some specific examples of | where you can expect to run into problems. | | On amd64 (x86_64) fallout has been mostly limited to compilers and a | couple of other programs, e.g. emacs, qemu, clisp, erlang, ghc, sbcl, | which we are building with PIE disabled. | | Additionally for i386 there have been problems with register pressure | on programs with their own asm code (mostly games), in particular | code doing cpuid checks often doesn't save/restore %ebx, but there | have been some others. In one case there was code for x86 OSX which | avoids scribbling on %ebx which we've been able to borrow, and I think | there were one or two where we've switched from asm to a generic C | implementation. Of course, shared libraries already have to take | this into account so not too much trouble there. | | Everything else, base system and ports, is built with PIE. | On the whole, experiences have been pretty good. Obviously there is | some performance impact but we haven't yet had any reports of this | causing major problems (though we will probably know more about this | after 5.5 is released when the average user will first see i386 | packages built with PIE by default). Are you doing any RELRO work? christos
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ