Add security hardening for 4.0.1? (was: Introducing security hardening features for Lenny)
Armin Berres
trigger at space-based.de
Tue Jan 29 22:51:13 UTC 2008
I guess there will be a long discussion on -devel, here are some short
hints from MaxCoder (taken from #debian-qt-kde):
.:23:23:37:. MadCoder| SSP, FORTIFY_SOURCES, and PIE are critical performance wise
.:23:23:52:. mukidohime| PIE is brutal to performance, though, right?
.:23:23:55:. MadCoder| SSP is particularily expensive for an application that performs a lot of 'calls'
.:23:24:04:. trigger| hm, bad
.:23:24:20:. MadCoder| and PIE is very expensive on registers starved archs like … the not very used x86
.:23:24:31:. MadCoder| so don't get _too_ excited either
.:23:24:41:. MadCoder| -D_FORTIFY_SOURCES=1 is a good idea though
.:23:24:55:. MadCoder| it generates no runtime checks, and detectes a handful of important mistakes
.:23:25:33:. trigger| so -D_FORTIFY_SOURCES=1 and nothing else? or should one consider SSP?
.:23:26:41:. MadCoder| well, -pie is a very bad idea IMNSHO
.:23:26:46:. MadCoder| the rest depends on the application
.:23:27:04:. MadCoder| I just say, don't get _too_ excited, most of the proposed flags/features/... have an inherent cost
.:23:27:06:. mukidohime| I guess it would require some kind of serious profiling.
.:23:27:37:. MadCoder| SSP is a technique that puts a canary (a random value) on the stack before (or after I never remember, I suppose it's arch dependent anyways) on
the stack
.:23:27:50:. MadCoder| and just before you RET from the call, it checks if the canary is still there
.:23:28:21:. MadCoder| it detects stack smashing based on the fact that if the attacker cannot guess the canary, he'll probably overwrite it
.:23:28:29:. MadCoder| it's quite effective for a broad range of attacks
.:23:28:37:. trigger| i see
.:23:28:45:. MadCoder| though, each _RET_ (and there is usually one per call) costs an additionnal check
.:23:29:19:. MadCoder| so it's a performance killer for anything that does CPU-bound operations, and is coded using lots of functions
.:23:29:39:. MadCoder| _FORTIFY_SOURCES=2 is on the same vein
.:23:29:59:. MadCoder| it replaces some "dangerous" string operations with functions that try to check boundaries some way or the other
.:23:30:05:. MadCoder| I don't really know how, I just know it costs
.:23:30:20:. MadCoder| and well, when it's strcpy or strcat, I don't care, people using those should be shot
.:23:30:25:. MadCoder| but it checks memcpy and memmove too
.:23:30:31:. MadCoder| and _THAT_ sucks
.:23:30:45:. trigger| who needs memcpy? ;)
.:23:30:57:. MadCoder| -fPIE and -pie have the same issue as shared libraries do
.:23:31:05:. mukidohime| So, it's trading stack smashing for performance smashing?
.:23:31:11:. MadCoder| all is rellocatable, hence every jump will be done based on an offset
.:23:31:32:. MadCoder| and x86 hasn't all the relative opcodes, hence it blocks one register to store the offset in it
.:23:31:59:. MadCoder| other archs are less impacted afaict (like amd64 that has all the necessary opcodes _and_ has more registers)
.:23:32:19:. MadCoder| so it's not really obvious to me that we should make those 3 options default everywhere
.:23:32:36:. MadCoder| so don't jump on horses _yet_ :)
.:23:32:50:. mukidohime| PIE is definitely only for a few specific uses.
.:23:33:06:. trigger| so -D_FORTIFY_SOURCES=1 and waiting FTW :)
.:23:33:30:. mukidohime| SSP... that would require some profiling to check the performance hit.
.:23:34:17:. MadCoder| well, SSP is probably not a problem for many desktop applications
.:23:34:35:. MadCoder| though, multimedia guys won't like it, whereas it's the kind of applications that are the most vulnerable
.:23:34:54:. mukidohime| Yeah, I think they'd much rather live fast and loose though.
.:23:34:56:. MadCoder| so well, all that talk was just to say, don't hurry, wait for the discussion that will probably come
More information about the pkg-kde-talk
mailing list