Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Feb 2014 11:01:41 -0500
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Subject: Re: Vendor adoption of PIE INFO#934476 oss-security

On Feb 16,  2:28pm, stu@...cehopper.org (Stuart Henderson) wrote:
-- Subject: Re: [oss-security] Vendor adoption of PIE INFO#934476 oss-securit

| By the way, OpenBSD has switched compilers to generating PIE code by
| default on the majority of architectures, various arch's over the last
| couple of releases, but as of a couple of months ago we've also done
| this for i386 (x86) too, so I can give some specific examples of
| where you can expect to run into problems.
| 
| On amd64 (x86_64) fallout has been mostly limited to compilers and a
| couple of other programs, e.g. emacs, qemu, clisp, erlang, ghc, sbcl,
| which we are building with PIE disabled.
| 
| Additionally for i386 there have been problems with register pressure
| on programs with their own asm code (mostly games), in particular
| code doing cpuid checks often doesn't save/restore %ebx, but there
| have been some others. In one case there was code for x86 OSX which
| avoids scribbling on %ebx which we've been able to borrow, and I think
| there were one or two where we've switched from asm to a generic C
| implementation. Of course, shared libraries already have to take
| this into account so not too much trouble there.
| 
| Everything else, base system and ports, is built with PIE.
| On the whole, experiences have been pretty good. Obviously there is
| some performance impact but we haven't yet had any reports of this
| causing major problems (though we will probably know more about this
| after 5.5 is released when the average user will first see i386
| packages built with PIE by default).

Are you doing any RELRO work?

christos

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ