Re: Expanding the list of "Hardened Packages"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 29.03.2013 23:07, schrieb John Reiser:
> On 03/29/2013, Reindl Harald wrote:
> 
>>> -fPIE code is larger and takes longer to execute.  The cost varies from
>>> minimal (< 2%) in many cases to 10% or more for "non-dynamic" arrays on i686
>>
>> i686 becomes more or less dead
>>
>> there could be made a difference in SPEC-files to in border
>> cases only harden the x86_64 binaries because in context
>> of servers i686 is already dead except legacy systems which
>> are not relevant for recent fedora versions
> 
> The usage of i686 user-mode software is *INCREASING*, especially on x86_64 machines
> which run a 64-bit kernel.  The same amount of physical RAM can support several
> percent more simultaneous 32-bit user-mode processes before paging.  64-bit .text,
> pointers, and longs are larger.  Only a few applications need a 64-bit address space.
> It will be many years before i686 user mode dies.

the machines below are all installed 2008
this is five years ago

the machines did load-peaks only a few people saw in real-life
well many times and i rebuild ANY relevant package with PIE

last year we bought a DL380 with 2 x Xeon E5-2640 and 92 GB RAM
plus a additional CPU and 60 GB RAM for the other host by a
price of around 8000 € and you will explain me that hacks like
PAE are growing?

[root@buildserver:~]$ distribute-command.sh "rpm -qa | grep x86_64 | wc -l; rpm -qa | grep i686 | wc -l"

--------------------------------------------------------------------------

896
0

411
0

335
0

279
0

283
0

368
0

217
0

218
0

344
0

342
0

237
0

239
0

399
0

335
0

344
0

895
0

279
0

283
0

368
0

>> * please do not argue with "but you need this and this AND this"
>>   the expierience of the last years shows how creative attackers
>>   are acting with RANDOM input data
> 
> I'm arguing the total expected benefit (integral over time of estimated
> exposure times expected prevented loss) versus actual cost (more machines,
> RAM, heat, [avoided] latency).  I'm not convinced that PIE+RELRO
> is worth it except for a process with elevated privilege or extended lifetime.
> 
> Please cite some documented cases where PIE and/or RELRO prevented or delayed
> an actual loss, or signaled with sufficient warning to be useful.  Meanwhile
> I'm spending more each month to consume more resources because of PIE+RELRO

this is a naive approach
you CAN NOT measure a failed code-execution

you can only measure a successful intrusion and that only if you
take notice that it happened - looking in my firewall logs only
a few people out there are in the position having the knowledge
to notice intrusions on their machines

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux