oss-sec mailing list archives
Automatic binary hardening with Autoconf
From: Solar Designer <solar () openwall com>
Date: Tue, 15 May 2012 05:33:14 +0400
Hi, I'd like this sort of topics to be brought up in here, so I'll start by referring to some blog posts. Here's an interesting one by Keegan McAllister: http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html This suggests (and shows how) individual programs that use autoconf may automatically enable the usual set of compile-time hardening settings that are otherwise normally provided by builds for/by/on hardened distros only. This is not rocket science, yet the provided examples may be reused and it may become a trend. Also interesting are the performance impact numbers (up to 30%), which are far worse than those I've seen posted before (up to 5.8%): http://d-sbd.alioth.debian.org/www/?page=pax_pie Perhaps this has to do with the specific code being protected and benchmarked (some crypto code in Mosh?) http://mosh.mit.edu An edit to this comment: https://github.com/keithw/mosh/issues/79#issuecomment-4683789 says that the impact is less with Ubuntu 12.04's GCC 4.6.3 - but I think this may be because Ubuntu's GCC has some of the hardening enabled by default (so its baseline performance is worse, not the impact is less). Alexander
Current thread:
- Automatic binary hardening with Autoconf Solar Designer (May 14)
- Re: Automatic binary hardening with Autoconf Steve Grubb (May 15)
- Re: Automatic binary hardening with Autoconf Steve Grubb (May 15)
- Re: Automatic binary hardening with Autoconf Marcus Meissner (May 15)
- Re: Automatic binary hardening with Autoconf Sebastian Krahmer (May 15)
- Re: Automatic binary hardening with Autoconf Steve Grubb (May 15)