Am 29.03.2013 23:07, schrieb John Reiser:
On 03/29/2013, Reindl Harald wrote:
>> -fPIE code is larger and takes longer to execute. The cost varies from
>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays
on i686
>
> i686 becomes more or less dead
>
> there could be made a difference in SPEC-files to in border
> cases only harden the x86_64 binaries because in context
> of servers i686 is already dead except legacy systems which
> are not relevant for recent fedora versions
The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
which run a 64-bit kernel. The same amount of physical RAM can support several
percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text,
pointers, and longs are larger. Only a few applications need a 64-bit address space.
It will be many years before i686 user mode dies.
the machines below are all installed 2008
this is five years ago
the machines did load-peaks only a few people saw in real-life
well many times and i rebuild ANY relevant package with PIE
last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM
plus a additional CPU and 60 GB RAM for the other host by a
price of around 8000 € and you will explain me that hacks like
PAE are growing?
[root@buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa |
grep i686 | wc -l"
--------------------------------------------------------------------------
896
0
411
0
335
0
279
0
283
0
368
0
217
0
218
0
344
0
342
0
237
0
239
0
399
0
335
0
344
0
895
0
279
0
283
0
368
0
> * please do not argue with "but you need this and this AND
this"
> the expierience of the last years shows how creative attackers
> are acting with RANDOM input data
I'm arguing the total expected benefit (integral over time of estimated
exposure times expected prevented loss) versus actual cost (more machines,
RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO
is worth it except for a process with elevated privilege or extended lifetime.
Please cite some documented cases where PIE and/or RELRO prevented or delayed
an actual loss, or signaled with sufficient warning to be useful. Meanwhile
I'm spending more each month to consume more resources because of PIE+RELRO
this is a naive approach
you CAN NOT measure a failed code-execution
you can only measure a successful intrusion and that only if you
take notice that it happened - looking in my firewall logs only
a few people out there are in the position having the knowledge
to notice intrusions on their machines