oss-sec mailing list archives
Vendor adoption of PIE INFO#934476 oss-security
From: "CERT(R) Coordination Center" <cert () cert org>
Date: Tue, 11 Feb 2014 16:37:21 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, We had originally notified Linux vendors individually through our normal channels, but it has come to our attention that this could perhaps be a better forum to have a discussion about the topic. We recently published a blog post about the state of ASLR/PIE on Linux compared to how it is on Windows: <https://www.cert.org/blogs/certcc/post.cfm?EntryID=191> tl;dr: On x86 Linux, there's a significant performance impact to PIE, however on the x86_64 platform it's not so clear whether the performance impact is significant enough to stop widespread use of PIE. This is where we are looking for input from the Linux vendors. It has been reported <http://nebelwelt.net/publications/12TRpie/gccPIE-TR120614.pdf>: 2.4 PIE and x64 <snip> ... "A quick evaluation for x64 reports an average overhead of 3.61% and a geometric mean of 2.34% for an -O3 optimization level on the same system using the "test" dataset of SPEC CPU2006." For those environments that put a high value on security, it would seem that a 2-3% overhead might be acceptable. Though being a compile-time option, it would seem that the "faster" vs. "more secure" decision would need to be made ahead of time by the vendor. And obviously, one size does not fit all. Thoughts? What is stopping you from enabling PIE for everything, at least on the x86_64 platform? Thank you, Will Dormann ============================= Vulnerability Analyst CERT Coordination Center 4500 Fifth Ave. Pittsburgh, PA 15213 1-412-268-7090 ============================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBUvqa/0FiFe3xVPtiAQKUWggAkQwJLYVuQAS0AWJzTLQzdIswqdsujP5C oqrF9N+aNWv1PNRjHbHBbGT5eDhepjkau9z90KHhHhYke5X17V47aEFb7HV5M3xN 2KmJkOAYr870S1xD1swL80lryc0w3QqHuCHDfoJ5n316zx87wk/wVF0uYUwtufVY qeBv8ZXAlfX1hjEat5yRutEb+/ryNr6uzQkLgW9bzZcVsndDLDxzpqxO1k+Rv6mp X/12Vi0bE2/tZUv7MIaXzG5bpqU1wWqHXXzqzvdYVY4R6tUdvRTCPM6qjHdm63nE eEHFRj426tGNAnZtKMBzW52Mtloc2IFRTO6guvSBcn+ueLFZYVmXow== =SNne -----END PGP SIGNATURE-----
Current thread:
- Vendor adoption of PIE INFO#934476 oss-security CERT(R) Coordination Center (Feb 11)
- Re: Vendor adoption of PIE INFO#934476 oss-security Solar Designer (Feb 15)
- Re: Vendor adoption of PIE INFO#934476 oss-security Stuart Henderson (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Christos Zoulas (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Stuart Henderson (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Nick Kralevich (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Nick Kralevich (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Stuart Henderson (Feb 16)
- Re: Vendor adoption of PIE INFO#934476 oss-security Solar Designer (Feb 15)
- Re: Vendor adoption of PIE INFO#934476 oss-security CERT(R) Coordination Center (Feb 16)