selective MKPIE (proposal)

To: tech-security%netbsd.org@localhost
Subject: selective MKPIE (proposal)
From: Piotr Meyer <aniou%smutek.pl@localhost>
Date: Sun, 7 Nov 2010 13:44:57 +0100

According to various sources [1] enabling PIE, at least on x86,
results in 5%-10% performance hit. At this moment exists also 
known problem with ASLR-enabled binaries, linked with pthread 
library[2] (but entire system can be built with MKPIE=yes, hurray ;).

In my opinion changing MKPIE behaviour in following way may be
worthwile:

MKPIE=no   - don't build PIE at all (standard)
MKPIE=yes  - build entire system as PIE
MKPIE=some - build as PIE only selected programs [3]

All we need is simple change in share/mk/bsd.prog.mk, lines

.if defined(MKPIE) && (${MKPIE} != "no")
CFLAGS+=        ${PIE_CFLAGS}
AFLAGS+=        ${PIE_AFLAGS}
LDFLAGS+=       ${PIE_LDFLAGS}
.endif


should be replaced with something similar to:


.if defined(MKPIE) && (${MKPIE} == "some")
.for _prog in \
        sshd dhcpd test
.if defined(PROG) && (${PROG} == ${_prog})
CFLAGS+=        ${PIE_CFLAGS}
AFLAGS+=        ${PIE_AFLAGS}
LDFLAGS+=       ${PIE_LDFLAGS}
.endif
.endfor
.elif defined(MKPIE) && (${MKPIE} == "yes")
CFLAGS+=        ${PIE_CFLAGS}
AFLAGS+=        ${PIE_AFLAGS}
LDFLAGS+=       ${PIE_LDFLAGS}
.endif

- app list may be hardcoded or passed via variable. 



1 - No, I don't made my own tests and is possible that all notes
about PIE performance impact has roots in one, not-very-well
documented statement. It's Internet.

2 - http://mail-index.netbsd.org/current-users/2010/09/07/msg014263.html
    and rest of thread

3 - Example list of PIE-built apps from UBUNTU:
    https://wiki.ubuntu.com/Security/Features#pie


-- 
Piotr 'aniou' Meyer

Prev by Date: Re: SA2010-011: why update libcrypto and librcypt?
Next by Date: kernel event auditing for NetBSD?
Previous by Thread: SA2010-011: why update libcrypto and librcypt?
Next by Thread: kernel event auditing for NetBSD?
Indexes:

Home | Main Index | Thread Index | Old Index