[ubuntu-hardened] Missing some hardening flags for a few apps.

Kees Cook kees at ubuntu.com
Fri Nov 30 19:36:36 UTC 2012


On Fri, Nov 30, 2012 at 10:41:56AM -0800, Seth Arnold wrote:
> On Fri, Nov 30, 2012 at 12:00:13PM -0600, Jamie Strandboge wrote:
> > As for PIE and BIND_NOW, these are disabled by default and opt-in for
> > packages that want them. The reason PIE is like this is because it can
> > introduce a performance penalty on some architectures like i386. I don't
> > recall why BIND_NOW is off by default-- presumably for the same reason
> > (maybe someone else on the list can comment). See our wiki[1] for more
> > details.
> 
> BIND_NOW also represents a potentially stiff performance penalty,
> especially for the larger applications, as it forces all the libraries
> for an application to be loaded before the application is responsive to
> user input. This can be several hundred megabytes of disk IO, and if
> the libraries are not also used immediately, represents a few hundred
> megabytes of displaced buffers and cache that might be more profitably
> used elsewhere.

This is not true any more. The GNU string hash tables radically speed up symbol
resolution, and the currently linker flags only include symbols for things that are
actually used. When I did measurements about 2 years ago, it was almost entirely
unmeasurable. Something like 0.1%, well within the noise.

> In essence, it can add twice the size of the libraries to the disk IO
> requirements -- half of it immediately, at application start, and the
> other half as different programs and data is reloaded from disk.

I would really like to see this backed up by data, but I think adding BIND_NOW by
default would be worth it. And I've always thought PIE should be the default for
x86_64.

-Kees

-- 
Kees Cook



More information about the ubuntu-hardened mailing list