[OpenWrt-Devel] [PATCH] build: Activate ASLR PIE by default
Daniel Engberg
daniel.engberg.lists at pyret.net
Wed Feb 13 19:10:36 EST 2019
Hi,
PIE adds overhead (it can be quite a bit) both to binary size and
performance during execution. There are usually discussions about
kilobytes and this is well beyond that and space is still quite
precious on 8/16Mbyte flash devices. Most target platforms are
"slow" and have limited space to begin with, ASLR and PIE won't help.
https://nebelwelt.net/publications/files/12TRpie.pdf
Far from all supported platforms have NX-bit or equvalent which makes it
as I understand it less effective?
https://www.vusec.net/projects/anc/
Effectiveness using vanilla Linux kernel seems to be questionable?
https://wiki.archlinux.org/index.php/security#Userspace_ASLR_comparison
https://en.wikipedia.org/wiki/Grsecurity#PaX
Interesting discussion about ASLR PIE in general here:
http://lists.dragonflybsd.org/pipermail/users/2017-April/335158.html
Debian seems to cherrypick applications
https://wiki.debian.org/Hardening
Perhaps the best solution wout be to provide two images, one with ASLR
and one without?
Best regards,
Daniel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list