HEADS-UP: PIE enabled by default on main
Konstantin Belousov
kostikbel at gmail.com
Sun Feb 28 00:47:22 UTC 2021
On Fri, Feb 26, 2021 at 08:32:26PM +0100, Gordon Bergling wrote:
> On Fri, Feb 26, 2021 at 08:57:55PM +0200, Konstantin Belousov wrote:
> > On Fri, Feb 26, 2021 at 07:34:03PM +0100, Gordon Bergling wrote:
> > > On Thu, Feb 25, 2021 at 03:58:07PM -0500, Ed Maste wrote:
> > > > As of 9a227a2fd642 (main-n245052) base system binaries are now built
> > > > as position-independent executable (PIE) by default, for 64-bit
> > > > architectures. PIE executables are used in conjunction with address
> > > > randomization as a mitigation for certain types of security
> > > > vulnerabilities.
> > > >
> > > > If you track -CURRENT and normally build WITHOUT_CLEAN you'll need to
> > > > do one initial clean build -- either run `make cleanworld` or set
> > > > WITH_CLEAN=yes.
> > > >
> > > > No significant user-facing changes are expected from this change, but
> > > > there are some minor ones. For example, `file` will indicate that
> > > > binaries are PIE by reporting something like `ELF 64-bit LSB pie
> > > > executable` rather than `ELF 64-bit LSB executable`. Also, for most
> > > > workloads no notable performance impact is expected.
> > > >
> > > > For almost all ports this should result in no change. There are a
> > > > small number of ports that use base system /usr/share/mk
> > > > infrastructure and thus inherit the base system default, and some of
> > > > those initially failed to build. Those found during an exp-run in
> > > > PR253275 have been addressed or have patches waiting.
> > > >
> > > > Please watch out for any new issues after you next update the base
> > > > system and/or ports, and report issues via a Bugzilla PR or in reply
> > > > here.
> > >
> > > Thats a huge step forward in terms on security.
> > Can you explain why?
> >
> > Thanks.
>
> I can try. Enabling PIE for every 64bit architecture is in that matter a step
> forward in security as it enables ASLR for further adoption.
But isn't it well-known that ASLR/ASR/any-related-buzzwork does not add
any security, except imaginary? The only purpose of it is to have a
check-list item ticked green.
You clearly should mean something useful and much more important than that,
when stating that FreeBSD made a huge step forward. So I want to be aware
of the advance.
More information about the freebsd-current
mailing list