Am 29.03.2013 23:07, schrieb John Reiser: > On 03/29/2013, Reindl Harald wrote: > >>> -fPIE code is larger and takes longer to execute. The cost varies from >>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686 >> >> i686 becomes more or less dead >> >> there could be made a difference in SPEC-files to in border >> cases only harden the x86_64 binaries because in context >> of servers i686 is already dead except legacy systems which >> are not relevant for recent fedora versions > > The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines > which run a 64-bit kernel. The same amount of physical RAM can support several > percent more simultaneous 32-bit user-mode processes before paging. 64-bit .text, > pointers, and longs are larger. Only a few applications need a 64-bit address space. > It will be many years before i686 user mode dies. the machines below are all installed 2008 this is five years ago the machines did load-peaks only a few people saw in real-life well many times and i rebuild ANY relevant package with PIE last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM plus a additional CPU and 60 GB RAM for the other host by a price of around 8000 € and you will explain me that hacks like PAE are growing? [root@buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa | grep i686 | wc -l" -------------------------------------------------------------------------- 896 0 411 0 335 0 279 0 283 0 368 0 217 0 218 0 344 0 342 0 237 0 239 0 399 0 335 0 344 0 895 0 279 0 283 0 368 0 >> * please do not argue with "but you need this and this AND this" >> the expierience of the last years shows how creative attackers >> are acting with RANDOM input data > > I'm arguing the total expected benefit (integral over time of estimated > exposure times expected prevented loss) versus actual cost (more machines, > RAM, heat, [avoided] latency). I'm not convinced that PIE+RELRO > is worth it except for a process with elevated privilege or extended lifetime. > > Please cite some documented cases where PIE and/or RELRO prevented or delayed > an actual loss, or signaled with sufficient warning to be useful. Meanwhile > I'm spending more each month to consume more resources because of PIE+RELRO this is a naive approach you CAN NOT measure a failed code-execution you can only measure a successful intrusion and that only if you take notice that it happened - looking in my firewall logs only a few people out there are in the position having the knowledge to notice intrusions on their machines
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
