Ticket #1113 (closed task: wontfix)
Using PIE by default on AMD64
|Reported by:||halfie||Owned by:|
http://fedoraproject.org/wiki/Hardened_Packages page mentions that "FESCo requires some packages to use PIE and relro hardening by default."
I am proposing that hardening flags (including PIE and RELRO) should be turned on by *default* for *all* packages on AMD64.
- https://wiki.ubuntu.com/Security/Features says "PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required."
What about Fedora taking the lead on this one?
"Position-independent executables (PIE) are now used by default on alpha, amd64, hppa, landisk, loongson, sgi and sparc64."
I wish Fedora did the same on AMD64.
- Addressing concerns mentioned in https://fedorahosted.org/fesco/ticket/1104
"PIE disables use of prelink - so this is another performance impact on startup. On the other hand we should evaluate the impact of non-prelinked vs. prelinked startup time on modern computers, maybe it is no longer much relevant"
Please see http://people.redhat.com/~gmurphy/files/pie.odt for such an evaluation.
In short. "... the average delay of a PIE application over a non-PIE application was significantly below perceivable threshold."
"I guess PIE has some impact on performance. Therefore I'd rather use PIE on limited list of packages. Databases might be a good addition into the current group."
ftp://ftp.inf.ethz.ch/doc/tech-reports/7xx/766.pdf mentions an average overhead of 3.6% on AMD64 (x64) which is not too bad (considering the benefits it provides).
I was able to independently verify some of the numbers present in this paper by using "unSPEC" (https://github.com/kholia/unSPEC).
FWIW, Ubuntu has been shipping PIE enabled Firefox for years now. https://bugs.launchpad.net/ubuntu/+source/xulrunner-1.9.1/+bug/507744 I repeated the benchmarks (mentioned in the above bug report) for Firefox 20.0 running on Fedora 18 64-bit.
I recommend running your own independent benchmarks to confirm this.
Similarly, there are no performance regressions (after enabling PIE) even in popular CPU intensive applications like Gimp and MongoDB.
Furthermore, large programs do the bulk of their computations in application-specific DSOs already. This applies to Firefox, among others. httpd is another example which already uses zlib and OpenSSL DSOs to do (CPU intensive) operations like compression and encryption.
- https://fedorahosted.org/fesco/ticket/1104#comment:14 https://fedorahosted.org/fesco/ticket/1104#comment:17 and https://fedorahosted.org/fesco/ticket/1104#comment:10
"I'm not sure that in the study above the non-PIE binaries were prelinked or not. Also it would be more interesting to see the result for bigger desktop applications like LibreOffice?, Firefox, Evolution."
http://en.wikipedia.org/wiki/Prelink mentions "Jakub Jelínek points out that position independent executables ignore prelinking on Red Hat Enterprise Linux and Fedora Core, and recommends that network and SUID programs be built PIE to facilitate a more secure environment."
In short, "... the average delay of a PIE application over a non-PIE application was significantly below perceivable threshold". Please note that "position independent executables ignore prelinking on Red Hat Enterprise Linux and Fedora Core", so the numbers presented in Grant's report should be good as they are."
I can do more benchmarks and analysis if required. What else do you think is needed from my side to move this ticket forward?