Date: Tue, 15 May 2012 05:33:14 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Keegan McAllister <mcallister.keegan@...il.com> Subject: Automatic binary hardening with Autoconf Hi, I'd like this sort of topics to be brought up in here, so I'll start by referring to some blog posts. Here's an interesting one by Keegan McAllister: http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html This suggests (and shows how) individual programs that use autoconf may automatically enable the usual set of compile-time hardening settings that are otherwise normally provided by builds for/by/on hardened distros only. This is not rocket science, yet the provided examples may be reused and it may become a trend. Also interesting are the performance impact numbers (up to 30%), which are far worse than those I've seen posted before (up to 5.8%): http://d-sbd.alioth.debian.org/www/?page=pax_pie Perhaps this has to do with the specific code being protected and benchmarked (some crypto code in Mosh?) http://mosh.mit.edu An edit to this comment: https://github.com/keithw/mosh/issues/79#issuecomment-4683789 says that the impact is less with Ubuntu 12.04's GCC 4.6.3 - but I think this may be because Ubuntu's GCC has some of the hardening enabled by default (so its baseline performance is worse, not the impact is less). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.