Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Apr 2013 21:36:58 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: PIE on x86_64

Hi,

On Fri, Apr 26, 2013 at 21:48 -0400, Rich Felker wrote:
> On Sat, Apr 27, 2013 at 02:14:05AM +0800, Pavel Labushev wrote:
> > On Fri, 12 Apr 2013 22:26:58 +0400
> > Solar Designer <solar@...nwall.com> wrote:
> > 
> > > > What are your reasons not to link executables as ET_DYN, even though
> > > > the target CPU architecture is PC-relative?
> > > 
> > > I think we should start doing that, and benchmark to make sure there's
> > > no unexpected performance drop.  Vasily?
> > 
> > And silence was the answer... Is it too much work? You could make -fpie
> > and the other hardening flags compiler's built-in defaults, like it is
> > done in Hardened Gentoo. It may be simpler and more robust than
> > tweaking specs of every package and would set more secure defaults for
> > anything that users might compile.
> 
> Unfortunately changing the compiler defaults can break things in
> subtle ways. The most common breakage I'm aware of from making pie the
> default occurs in packages with assembler source files that are
> written in non-pic-compatible ways. These will turn into TEXTRELs in
> the pie binary, which depending on the arch, may just result in heavy
> runtime bloat (e.g. on 32-bit x86) or produce an error at link time
> (e.g. on x86_64). I seem to recall a user running into this issue in
> OpenSSL...

I've tried to enable PIE by default and disable it on -static, etc.

The patch is based on this one:

http://ftp.osuosl.org/pub/lfs/hlfs-packages/unstable/gcc-4.1.2-fpie-2.patch

There were several failures: vim, owl-startup.  They need pic-enabled .a
files.  World rebuild fixes these errors.

The only one package which fails to build as-is on x86_64 -- kernel.
The -D__KERNEL__ check is present, though.  Will try to figure it out
(likely, tomorrow).

I caught no failures on syslinux or lilo.

Some binary files in $PATH still miss DYN Type, will fix this too.


Thanks,

-- 
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments

View attachment "gcc-4.6.2-owl-defaults-Wl2.diff" of type "text/x-diff" (5251 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ