On 03/29/2013 09:38 AM, Dhiru Kholia wrote:
Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being
hardened?
Some of the ways to implement this proposal are,
1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).
"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.
-fPIE code is larger and takes longer to execute. The cost varies from
minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on
i686.
-fPIE for Thumb mode on ARM is particularly painful.
RELRO can cost one extra page of physical RAM per process because the placement
of the RELRO region tends to increase fragmentation and decrease sharability.
I suggest that any requirement for increased hardening be restricted to only
those programs which execute with elevated privileges. The package maintainer
should retain primary discretion for anything which executes with "ordinary"
user privileges.
--