elementary OS

  1. Bug #1340488
  2. Comment #6

Comment 6 for bug 1340488

Revision history for this message
Sergey "Shnatsel" Davidoff (shnatsel) wrote :

> If you are from the Ubuntu team then you make them look good.

If I were, I'd just go talk to them instead of telling you to do that! Also, I hope the folks in there are more competent that I am.

As for stack protection, it doesn't seem like we can use "-fstack-protector-strong" it in Freya (Ubuntu 14.04 derivative). Despite it shipping GCC 4.8.2 I get "unrecognized option" error when I pass "-fstack-protector-strong".
For the record I pass "-fno-stack-protector" before it to disable the *regular* stack protector so I can enable -strong or -all instead (known Ubuntu/GCC quirk).

I have added -fstack-protector-all to Files and Midori as an experiment. Files is potentially networked and has been known to be crashy before. Midori presents a viable attack surface and the Midori process should not call functions at rates so insane as to make stack canaries noticeable (webkit2 has every tab in its own process). Let's see if we get any performance complaints!

But as I said, stack canaries in prebuilt binaries in such a dominant distro as Ubuntu are not really useful, so this is the last thing I would require Ubuntu to implement out of this list. Current stack canaries are basically security through obscurity of your build. Now if the canaries were randomly generated for each machine and/or reseeded periodically...

Regarding PIE:

> RedHat has published their own informal benchmarks:
Red Hat has just measured sudo which is not a representative case. More stuff please!

Wikipedia states that not all C code is compatible with it (AFAIK that's true) and I've also seen generally PIE-compatible stuff fail to build on weird-er platforms or architectures. So I would not blame Ubuntu if they didn't enable it by default over that concern.

RELRO:

Great, measure it! Ideally, in addition to a reasonably modern med-end CPU that I'm pretty sure you have (they haven't really evolved since 2008 and are pretty overpowered, so do not provide much evidence) you should try something like a netbook or NUC with Atom. You might get more measurable difference there, and if you don't, that's a much more convincing result because these things are consistently CPU-underpowered.

DNSCrypt's AppArmor:

Same here dude, same here!

Conclusion:

Thanks for bringing this to my attention and for all the detailed writeups. It's people like you that change the world!