From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Rse5b-0004nc-8q for garchives@archives.gentoo.org; Wed, 01 Feb 2012 17:35:23 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 802C0E0818; Wed, 1 Feb 2012 17:35:09 +0000 (UTC) Received: from mx1.mthode.org (rrcs-24-173-105-85.sw.biz.rr.com [24.173.105.85]) by pigeon.gentoo.org (Postfix) with ESMTP id 9B8D6E0616 for ; Wed, 1 Feb 2012 17:34:21 +0000 (UTC) Received: from khorne.mthode.org (unknown [64.39.4.135]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.mthode.org (Postfix) with ESMTPSA id 83053F396; Wed, 1 Feb 2012 12:34:20 -0500 (EST) Date: Wed, 1 Feb 2012 11:33:25 -0600 From: Matthew Thode (prometheanfire) To: gentoo-dev@lists.gentoo.org Cc: blueness@gentoo.org Subject: Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? Message-ID: <20120201113325.60a55d2c@khorne.mthode.org> In-Reply-To: <4F288E38.3040802@gentoo.org> References: <201201271912.35560.vapier@gentoo.org> <4F23E993.5050701@gentoo.org> <201201291414.27968.vapier@gentoo.org> <4F288E38.3040802@gentoo.org> X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.8; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/K/p__QqqBsKbxa2YOAGw5L."; protocol="application/pgp-signature" X-Archives-Salt: ea4449ea-8f2a-451b-9ed6-4ef834d5b53c X-Archives-Hash: 092c260c4bdf7a06a3fe384dbbf4cd10 --Sig_/K/p__QqqBsKbxa2YOAGw5L. Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 31 Jan 2012 19:58:32 -0500 "Anthony G. Basile" wrote: > On 01/29/2012 02:14 PM, Mike Frysinger wrote: > > On Saturday 28 January 2012 07:26:59 Anthony G. Basile wrote: > >> I've run nbench on two amd64 systems both running the same kernel > >> vanilla-3.2.2. > > i don't think nbench is a good benchmark for this as it isn't > > really testing what you think it's testing. it's very good at > > validating math support in the ISA/ABI, optimized compiler output, > > and supplementary math implementations in libgcc. PIE vs non-PIE > > will still be able to multiply/divide in pretty much the same > > amount of time. >=20 > I know, but the problem is, what benchmark best approximates common=20 > every day use? So I wrote the following which really hits the > problem hard on x86: >=20 > int modfac(int n) > { > if(n=3D=3D0) return 1; > return n * modfac(n-1); > } >=20 > int main() > { > int i; > for( i =3D 0 ; i < 4096*4096 ; i++ ) modfac(4096); > return 0; > } >=20 > Using vanilla kernel 3.2.2, userland built with vanilla toolchain,=20 > gcc-4.5.3-r1, glibc-2.13-r4, binutils-2.21.1-r1, compiling my code=20 > simply as gcc -o test modfac.c, CFLAGS=3D"-O2 -march=3Di686 -pipe" I get: >=20 > time -p ./test > real 327.89 > user 327.72 > sys 0.00 >=20 > Keep everything else the same, even the same hardware, but switch to=20 > userland built with hardened gcc-4.5.3-r2 (not -r1 because of the bus=20 > error), I get: >=20 > time -p ./test > real 629.68 > user 629.37 > sys 0.00 >=20 > The hardware is 8 x "Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz" with 12 > GB ram. That's nearly a factor of 2x but how often does one set up > 4k stack frames in everyday use? >=20 > >> So at least on amd64, I don't think that performance is ever an > >> issue. > > yes, most likely on systems where the PIC has hardware support in > > the ISA, the performance hit on PIE is typically low. > > > >> I have yet to look at x86. > > pretty sure this is going to be much more palpable. > > -mike >=20 >=20 Vanilla userland is simply a stage3 chroot amd64. hardened kernel/userland real 5m43.402s user 5m42.510s sys 0m0.002s hardened kernel/vanilla gcc real 5m29.271s user 5m28.417s sys 0m0.003s hardened kernel/vanilla userland real 5m29.495s user 5m28.599s sys 0m0.030s vanilla all (disabled pax and grsec on hardened kernel, compiled kernel with hardened gcc) real 5m34.861s user 5m33.981s sys 0m0.001s i686 cflag test, vanilla all CFLAGS=3D"-O2 -march=3Di686 -pipe" gcc modfac.c -o vv-moddfac real 5m42.171s user 5m41.176s sys 0m0.092s CPU: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz RAM: 16G --=20 Matthew Thode (prometheanfire) --Sig_/K/p__QqqBsKbxa2YOAGw5L. Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBAgAGBQJPKXdrAAoJECRx6z5ArFrDrggP/RAlEh6qj7lrwMs7InvOzKbc /dBkRhDOCa+PXmla+Q780KNq8NIjMnOVgYldKb4Nmmvic708SzHhAt8gAq7nJ9uQ zmtNmRTW3PWBKWebzOgxP4/I5H+Sew/pkn4SwmvTruyfWANDjgJyfNtvOnJx8jb4 woLqp9g+RZY62yLxegvX187FoKG4aO77AGgXst3TCj5ezJTJ/IYx7DuC2CXZodrY P8eNaXepCowlCo2y+eogOnvT+TaZ159uJgcxk2VCNmuElG/9Dj3pIzMIN5JTZLd6 jV6JjlSYSFCHhw5nHctmyxHcf5M+zXxhhonJsH/0qLdMC7uQ2KHWlJL007EojcOw lfT//SAce6IwWXjRgnQ6qWLnGo+/4on/jFz7Hna5u/3oQ/g8tx6FgSB6Qncd9YiK PqqTjcEVgonm+HuDZ5RoXGkv0CDs/p+nmuUBcYIJOFv+QX/RL9s0e+RsTGvXsBd9 RulWOoDNV75cQVsNy+/NsbqJo6ctOo2ZIcbWrBVx981QYsg6dmKVJrK2VqNnXC8f feN1kT280qZMeAZZ2xAVSAqP4rcMkNp5UPhE8cWNoilL4RAg6slnmwiRqvhx5IOX qT86WCuy8vb1Josn5BUGZGV67ceF/2Z50xi0oOrVN5ZTbHI2FEvIcqiNaLsBWmMj 8/49Ssii3nLJMCjPY0/B =Kj5+ -----END PGP SIGNATURE----- --Sig_/K/p__QqqBsKbxa2YOAGw5L.--