Am 29.03.2013 23:07, schrieb John Reiser:
On 03/29/2013, Reindl Harald wrote:
-fPIE code is larger and takes longer to execute. The cost varies from minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
i686 becomes more or less dead
there could be made a difference in SPEC-files to in border cases only harden the x86_64 binaries because in context of servers i686 is already dead except legacy systems which are not relevant for recent fedora versions
The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines which run a 64-bit kernel. The same amount of physical RAM can support several percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text, pointers, and longs are larger. Only a few applications need a 64-bit address space. It will be many years before i686 user mode dies.
the machines below are all installed 2008 this is five years ago
the machines did load-peaks only a few people saw in real-life well many times and i rebuild ANY relevant package with PIE
last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM plus a additional CPU and 60 GB RAM for the other host by a price of around 8000 € and you will explain me that hacks like PAE are growing?
[root@buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa | grep i686 | wc -l"
--------------------------------------------------------------------------
896 0
411 0
335 0
279 0
283 0
368 0
217 0
218 0
344 0
342 0
237 0
239 0
399 0
335 0
344 0
895 0
279 0
283 0
368 0
- please do not argue with "but you need this and this AND this" the expierience of the last years shows how creative attackers are acting with RANDOM input data
I'm arguing the total expected benefit (integral over time of estimated exposure times expected prevented loss) versus actual cost (more machines, RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO is worth it except for a process with elevated privilege or extended lifetime.
Please cite some documented cases where PIE and/or RELRO prevented or delayed an actual loss, or signaled with sufficient warning to be useful. Meanwhile I'm spending more each month to consume more resources because of PIE+RELRO
this is a naive approach you CAN NOT measure a failed code-execution
you can only measure a successful intrusion and that only if you take notice that it happened - looking in my firewall logs only a few people out there are in the position having the knowledge to notice intrusions on their machines