performance tests conducted on 7.04, 7.10, 8.04, 8.10rc
Kees Cook
kees at ubuntu.com
Tue Oct 28 16:27:58 GMT 2008
Hi,
On Tue, Oct 28, 2008 at 11:02:37AM -0500, Chris Cheney wrote:
> Since they only tested on i386 this (aiui) could at least be partially
> explained by the security enhancements made to Ubuntu. I don't know what
> all has been changed but I believe at least -PIE was added to binaries
> at some point. There was discussion about this at a UDS and the fact
> this would cause some slowdown for i386 in particular since it doesn't
> have enough registers.
Nothing they tested has been built with PIE. We intentionally only
built a few[1] network services with PIE, so that won't account for it.
There were some compiler defaults[2] changed (e.g. _FORTIFY_SOURCE=2), but
that's unlikely to make such a difference in their test times. Most of
the checks are done at compile-time (which could certainly have
contributed to the compiler slow-down, but I would bet that's mostly
due to the 4.3 compiler, as mentioned earlier).
-Kees
[1] https://wiki.ubuntu.com/Security/HardeningWrapper#Early%20PIE%20Targets
[2] https://wiki.ubuntu.com/CompilerFlags
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list