Automatic binary hardening with Autoconf

[Solar Designer <solar () openwall com>]

Hi,

I'd like this sort of topics to be brought up in here, so I'll start by
referring to some blog posts.

Here's an interesting one by Keegan McAllister:

http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html

This suggests (and shows how) individual programs that use autoconf may
automatically enable the usual set of compile-time hardening settings
that are otherwise normally provided by builds for/by/on hardened
distros only.  This is not rocket science, yet the provided examples may
be reused and it may become a trend.

Also interesting are the performance impact numbers (up to 30%), which
are far worse than those I've seen posted before (up to 5.8%):

http://d-sbd.alioth.debian.org/www/?page=pax_pie

Perhaps this has to do with the specific code being protected and
benchmarked (some crypto code in Mosh?)  http://mosh.mit.edu

An edit to this comment:

https://github.com/keithw/mosh/issues/79#issuecomment-4683789

says that the impact is less with Ubuntu 12.04's GCC 4.6.3 - but I think
this may be because Ubuntu's GCC has some of the hardening enabled by
default (so its baseline performance is worse, not the impact is less).

Alexander