From Fedora Project Wiki
(Change Announced on 2015-01-07)
(Add paragraph about runtime costs)
Line 41: Line 41:
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
 
Packages in Fedora will be more secure than in other distributions or packages provided by upstream. Therefore our users  less likely become victims of attacks. Fedora will use more state-of-the-art security mechanisms to fulfill its first and features foundations.
 
Packages in Fedora will be more secure than in other distributions or packages provided by upstream. Therefore our users  less likely become victims of attacks. Fedora will use more state-of-the-art security mechanisms to fulfill its first and features foundations.
 +
 +
Runtime costs: Using PIC or PIE code tends to reduce the benefits of pre-linking.  If the actual placement at runtime of a PIC/PIE module differs from the pre-linked placement, then any speed benefit of pre-linking is lost, and in many cases there is an additional speed penalty because all entries in the relocation table (not just the ones actually used by the current process) must be un-prelinked when the module is initialized.  Also, there is a space cost: the runtime relocation table will be altered, so at least one page per module can no longer be shared with other processes.  Some programs use hundreds of shared libraries, so the cost can be in the range of megabytes of RAM for that instance.  The speed cost typically is not noticeable by humans (0.3 seconds or less) although one report says gzip saw 3.6% longer startup.  The space cost may be important for systems with small RAM or very many processes.
  
 
== Scope ==
 
== Scope ==

Revision as of 16:10, 7 January 2015

Harden all packages with position-independent code

Summary

Harden all packages with position-independent code to limit the damage from certain security vulnerabilities.

Owner

  • Name: Till Maas | Moez Roy
  • Email: opensource@till.name | moez.roy@gmail.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 22
  • Last updated: 2014-12-13
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Currently, the Packaging Guidelines allow maintainers to decide whether their packages use position-independent code (PIC). There are rules that say that a lot of packages should use PIC, but in reality a lot of packages do not use PIC even if they must. Also since a lot of packags if not all potentially process untrusted input, it makes sense for these packages to use PIC to enhance the security of Fedora. Therefore I propose to build all packages with PIC by changing RPM to use the appropriate flags by default.

References:

Benefit to Fedora

Packages in Fedora will be more secure than in other distributions or packages provided by upstream. Therefore our users less likely become victims of attacks. Fedora will use more state-of-the-art security mechanisms to fulfill its first and features foundations.

Runtime costs: Using PIC or PIE code tends to reduce the benefits of pre-linking. If the actual placement at runtime of a PIC/PIE module differs from the pre-linked placement, then any speed benefit of pre-linking is lost, and in many cases there is an additional speed penalty because all entries in the relocation table (not just the ones actually used by the current process) must be un-prelinked when the module is initialized. Also, there is a space cost: the runtime relocation table will be altered, so at least one page per module can no longer be shared with other processes. Some programs use hundreds of shared libraries, so the cost can be in the range of megabytes of RAM for that instance. The speed cost typically is not noticeable by humans (0.3 seconds or less) although one report says gzip saw 3.6% longer startup. The space cost may be important for systems with small RAM or very many processes.

Scope

  • Proposal owners:

Help writing the new packaging guidelines.

  • Other developers:

Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set _hardened_package to 1 by default).

  • Release engineering:

Do a mass rebuild for all arch packages

  • Policies and guidelines:

Adjust the Packaging Guidelines to allow non-PIC packages only if the package is not working otherwise and require a tracker bug similar to packages not working on certain archs. Update the Guidelines to reflect the new defaults.

Upgrade/compatibility impact

This should not cause problems with upgrades.

How To Test

  1. Running checksec should always report only

Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH otherwise a tracking bug should exist for the respective packages. All packages need to be tested as usual for normal behaviour.

User Experience

Fedora users might notice less sucessful attacks on their systems.

Dependencies

The rpm macros for Fedora need to be adjusted. Prelink might be retired.

Contingency Plan

  • Contingency mechanism: Rebuild packages that do not work because of this without PIC. If there are too many packaged, do a mass rebuild again without PIC for all arch packages.
  • Contingency deadline: If no mass rebuild is needed, individual packages can be rebuilt at any time. Otherwise mass rebuild time.
  • Blocks release? No

Documentation

The current packaging guidelines can be consulted.


Release Notes

Fedora now hardens as much packages as possible with position-independent code to reduce the impact of certain potential security vulnerabilities.