[OpenWrt-Devel] build: Activate ASLR PIE by default
diff mbox series

Message ID 20190213221541.10882-1-hauke@hauke-m.de
State New
Delegated to: Hauke Mehrtens
Headers show
Series
  • [OpenWrt-Devel] build: Activate ASLR PIE by default
Related show

Commit Message

Hauke Mehrtens Feb. 13, 2019, 10:15 p.m. UTC
This will build all executable as Position Independent Executables (PIE)
by default. PIE executable can make full use of Address Space Layout
Randomization (ASLR) because all sections can be placed at random
offsets of the executed program. This makes it harder to exploit bugs
in our binaries.

This will increase the size of executable, libraries are already build
position independent and their size will not change.

This increases the size of the resulting images by about 3% on MIPS BE.
I tested this with the default configuration for the lantiq xrx200
target.

The size of the initramfs binaries increased by 2.88%:
Without PIE:
5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
With PIE:
5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin

With PIE activated the executable are getting bigger, here are some
examples from the lantiq mips_24kc target:

Without PIE:
112.309 /bin/opkg
299.061 /bin/busybox
456.549 /usr/sbin/wpad

With PIE:
142.496 /bin/opkg       (26.87% increase)
388.404 /bin/busybox    (29.87% increase)
580.128 /usr/sbin/wpad  (27.06% increase)

With PIE activated the sections of the binaries are loaded to
different offsets for each program instance like shown here:

root@OpenWrt:/# cat /proc/self/maps
555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
55633000-55634000 rwxp 00000000 00:00 0
77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
77fab000-77fad000 rwxp 00000000 00:00 0
7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
7fefb000-7fefc000 r-xp 00000000 00:00 0
7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
root@OpenWrt:/# cat /proc/self/maps
5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
5568c000-5568d000 rwxp 00000000 00:00 0
77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
77f57000-77f59000 rwxp 00000000 00:00 0
7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
7fefb000-7fefc000 r-xp 00000000 00:00 0
7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
root@OpenWrt:/#

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

I would like to get some comments if we should activate PIE by default.
The advantage is that it will be harder to exploit OpenWrt, but on the 
other hand the binaries are getting bigger. We could also restrict this 
to some CPU types, but as targets share the binaries it is not really 
possible to do this based on the target.

I am not sure if this should go into the next release or wait for later.

This could also break some packages, as it is possible to activate PIE 
by default for some time many bugs are already fixed, but probably not 
all of them.

 config/Config-build.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Felix Fietkau Feb. 13, 2019, 10:51 p.m. UTC | #1
On 2019-02-13 23:15, Hauke Mehrtens wrote:
> This will build all executable as Position Independent Executables (PIE)
> by default. PIE executable can make full use of Address Space Layout
> Randomization (ASLR) because all sections can be placed at random
> offsets of the executed program. This makes it harder to exploit bugs
> in our binaries.
> 
> This will increase the size of executable, libraries are already build
> position independent and their size will not change.
> 
> This increases the size of the resulting images by about 3% on MIPS BE.
> I tested this with the default configuration for the lantiq xrx200
> target.
> 
> The size of the initramfs binaries increased by 2.88%:
> Without PIE:
> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
> With PIE:
> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
> 
> With PIE activated the executable are getting bigger, here are some
> examples from the lantiq mips_24kc target:
> 
> Without PIE:
> 112.309 /bin/opkg
> 299.061 /bin/busybox
> 456.549 /usr/sbin/wpad
> 
> With PIE:
> 142.496 /bin/opkg       (26.87% increase)
> 388.404 /bin/busybox    (29.87% increase)
> 580.128 /usr/sbin/wpad  (27.06% increase)
> 
> With PIE activated the sections of the binaries are loaded to
> different offsets for each program instance like shown here:
> 
> root@OpenWrt:/# cat /proc/self/maps
> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
> 55633000-55634000 rwxp 00000000 00:00 0
> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
> 77fab000-77fad000 rwxp 00000000 00:00 0
> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
> 7fefb000-7fefc000 r-xp 00000000 00:00 0
> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
> root@OpenWrt:/# cat /proc/self/maps
> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
> 5568c000-5568d000 rwxp 00000000 00:00 0
> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
> 77f57000-77f59000 rwxp 00000000 00:00 0
> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
> 7fefb000-7fefc000 r-xp 00000000 00:00 0
> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
> root@OpenWrt:/#
> 
> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
> ---
> 
> I would like to get some comments if we should activate PIE by default.
> The advantage is that it will be harder to exploit OpenWrt, but on the 
> other hand the binaries are getting bigger. We could also restrict this 
> to some CPU types, but as targets share the binaries it is not really 
> possible to do this based on the target.
> 
> I am not sure if this should go into the next release or wait for later.
> 
> This could also break some packages, as it is possible to activate PIE 
> by default for some time many bugs are already fixed, but probably not 
> all of them.
I think this is a lot of extra bloat. Maybe we can add a restricted PIE
mode where packages can opt-in individually?

- Felix
Hauke Mehrtens Feb. 22, 2019, 11:40 p.m. UTC | #2
On 2/13/19 11:51 PM, Felix Fietkau wrote:
> On 2019-02-13 23:15, Hauke Mehrtens wrote:
>> This will build all executable as Position Independent Executables (PIE)
>> by default. PIE executable can make full use of Address Space Layout
>> Randomization (ASLR) because all sections can be placed at random
>> offsets of the executed program. This makes it harder to exploit bugs
>> in our binaries.
>>
>> This will increase the size of executable, libraries are already build
>> position independent and their size will not change.
>>
>> This increases the size of the resulting images by about 3% on MIPS BE.
>> I tested this with the default configuration for the lantiq xrx200
>> target.
>>
>> The size of the initramfs binaries increased by 2.88%:
>> Without PIE:
>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>> With PIE:
>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>
>> With PIE activated the executable are getting bigger, here are some
>> examples from the lantiq mips_24kc target:
>>
>> Without PIE:
>> 112.309 /bin/opkg
>> 299.061 /bin/busybox
>> 456.549 /usr/sbin/wpad
>>
>> With PIE:
>> 142.496 /bin/opkg       (26.87% increase)
>> 388.404 /bin/busybox    (29.87% increase)
>> 580.128 /usr/sbin/wpad  (27.06% increase)
>>
>> With PIE activated the sections of the binaries are loaded to
>> different offsets for each program instance like shown here:
>>
>> root@OpenWrt:/# cat /proc/self/maps
>> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
>> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
>> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
>> 55633000-55634000 rwxp 00000000 00:00 0
>> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
>> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
>> 77fab000-77fad000 rwxp 00000000 00:00 0
>> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
>> root@OpenWrt:/# cat /proc/self/maps
>> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
>> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
>> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
>> 5568c000-5568d000 rwxp 00000000 00:00 0
>> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
>> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
>> 77f57000-77f59000 rwxp 00000000 00:00 0
>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
>> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
>> root@OpenWrt:/#
>>
>> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
>> ---
>>
>> I would like to get some comments if we should activate PIE by default.
>> The advantage is that it will be harder to exploit OpenWrt, but on the 
>> other hand the binaries are getting bigger. We could also restrict this 
>> to some CPU types, but as targets share the binaries it is not really 
>> possible to do this based on the target.
>>
>> I am not sure if this should go into the next release or wait for later.
>>
>> This could also break some packages, as it is possible to activate PIE 
>> by default for some time many bugs are already fixed, but probably not 
>> all of them.
> I think this is a lot of extra bloat. Maybe we can add a restricted PIE
> mode where packages can opt-in individually?

So we should probably make it a chose with 3 options:
1. No PIE
2. Use PIE for exposed binaries
3. Use PIE for all binaries

Then we need something in addition to the existing PKG_ASLR_PIE we
already have to deactivate it.

Do we want a generic name like this:
PKG_CRITICAL
or something specific to PIE:
PKG_ASLR_PIE_PREFERED

Hauke
Dave Taht Feb. 23, 2019, 3:36 p.m. UTC | #3
Hauke Mehrtens <hauke@hauke-m.de> writes:

> On 2/13/19 11:51 PM, Felix Fietkau wrote:
>> On 2019-02-13 23:15, Hauke Mehrtens wrote:
>>> This will build all executable as Position Independent Executables (PIE)
>>> by default. PIE executable can make full use of Address Space Layout
>>> Randomization (ASLR) because all sections can be placed at random
>>> offsets of the executed program. This makes it harder to exploit bugs
>>> in our binaries.
>>>
>>> This will increase the size of executable, libraries are already build
>>> position independent and their size will not change.
>>>
>>> This increases the size of the resulting images by about 3% on MIPS BE.
>>> I tested this with the default configuration for the lantiq xrx200
>>> target.
>>>
>>> The size of the initramfs binaries increased by 2.88%:
>>> Without PIE:
>>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>> With PIE:
>>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>
>>> With PIE activated the executable are getting bigger, here are some
>>> examples from the lantiq mips_24kc target:
>>>
>>> Without PIE:
>>> 112.309 /bin/opkg
>>> 299.061 /bin/busybox
>>> 456.549 /usr/sbin/wpad
>>>
>>> With PIE:
>>> 142.496 /bin/opkg       (26.87% increase)
>>> 388.404 /bin/busybox    (29.87% increase)
>>> 580.128 /usr/sbin/wpad  (27.06% increase)
>>>
>>> With PIE activated the sections of the binaries are loaded to
>>> different offsets for each program instance like shown here:
>>>
>>> root@OpenWrt:/# cat /proc/self/maps
>>> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
>>> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
>>> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
>>> 55633000-55634000 rwxp 00000000 00:00 0
>>> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
>>> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
>>> 77fab000-77fad000 rwxp 00000000 00:00 0
>>> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
>>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
>>> root@OpenWrt:/# cat /proc/self/maps
>>> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
>>> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
>>> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
>>> 5568c000-5568d000 rwxp 00000000 00:00 0
>>> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
>>> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
>>> 77f57000-77f59000 rwxp 00000000 00:00 0
>>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
>>> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
>>> root@OpenWrt:/#
>>>
>>> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
>>> ---
>>>
>>> I would like to get some comments if we should activate PIE by default.
>>> The advantage is that it will be harder to exploit OpenWrt, but on the 
>>> other hand the binaries are getting bigger. We could also restrict this 
>>> to some CPU types, but as targets share the binaries it is not really 
>>> possible to do this based on the target.
>>>
>>> I am not sure if this should go into the next release or wait for later.
>>>
>>> This could also break some packages, as it is possible to activate PIE 
>>> by default for some time many bugs are already fixed, but probably not 
>>> all of them.
>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE
>> mode where packages can opt-in individually?
>
> So we should probably make it a chose with 3 options:
> 1. No PIE
> 2. Use PIE for exposed binaries
> 3. Use PIE for all binaries

I hate that we have to make choices like this for space reasons. Option
2 will help but means attackers will try to go after something else.
By exposed, you mean "on the network", I guess? 


>
> Then we need something in addition to the existing PKG_ASLR_PIE we
> already have to deactivate it.
>
> Do we want a generic name like this:
> PKG_CRITICAL
> or something specific to PIE:
> PKG_ASLR_PIE_PREFERED
>
> Hauke
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hauke Mehrtens Feb. 23, 2019, 3:46 p.m. UTC | #4
On 2/23/19 4:36 PM, Dave Taht wrote:
> Hauke Mehrtens <hauke@hauke-m.de> writes:
> 
>> On 2/13/19 11:51 PM, Felix Fietkau wrote:
>>> On 2019-02-13 23:15, Hauke Mehrtens wrote:
>>>> This will build all executable as Position Independent Executables (PIE)
>>>> by default. PIE executable can make full use of Address Space Layout
>>>> Randomization (ASLR) because all sections can be placed at random
>>>> offsets of the executed program. This makes it harder to exploit bugs
>>>> in our binaries.
>>>>
>>>> This will increase the size of executable, libraries are already build
>>>> position independent and their size will not change.
>>>>
>>>> This increases the size of the resulting images by about 3% on MIPS BE.
>>>> I tested this with the default configuration for the lantiq xrx200
>>>> target.
>>>>
>>>> The size of the initramfs binaries increased by 2.88%:
>>>> Without PIE:
>>>> 5.303.716 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>> With PIE:
>>>> 5.456.339 openwrt-lantiq-xrx200-bt_homehub-v5a-initramfs-kernel.bin
>>>>
>>>> With PIE activated the executable are getting bigger, here are some
>>>> examples from the lantiq mips_24kc target:
>>>>
>>>> Without PIE:
>>>> 112.309 /bin/opkg
>>>> 299.061 /bin/busybox
>>>> 456.549 /usr/sbin/wpad
>>>>
>>>> With PIE:
>>>> 142.496 /bin/opkg       (26.87% increase)
>>>> 388.404 /bin/busybox    (29.87% increase)
>>>> 580.128 /usr/sbin/wpad  (27.06% increase)
>>>>
>>>> With PIE activated the sections of the binaries are loaded to
>>>> different offsets for each program instance like shown here:
>>>>
>>>> root@OpenWrt:/# cat /proc/self/maps
>>>> 555c4000-55622000 r-xp 00000000 00:02 1030       /bin/busybox
>>>> 55631000-55632000 r-xp 0005d000 00:02 1030       /bin/busybox
>>>> 55632000-55633000 rwxp 0005e000 00:02 1030       /bin/busybox
>>>> 55633000-55634000 rwxp 00000000 00:00 0
>>>> 77ee2000-77f04000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f04000-77f05000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f05000-77f06000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>>> 77f06000-77f9a000 r-xp 00000000 00:02 329        /lib/libc.so
>>>> 77fa9000-77fab000 rwxp 00093000 00:02 329        /lib/libc.so
>>>> 77fab000-77fad000 rwxp 00000000 00:00 0
>>>> 7fb26000-7fb47000 rw-p 00000000 00:00 0          [stack]
>>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>>> 7ff0a000-7ff0b000 r--p 00000000 00:00 0          [vvar]
>>>> 7ff0b000-7ff0c000 r-xp 00000000 00:00 0          [vdso]
>>>> root@OpenWrt:/# cat /proc/self/maps
>>>> 5561d000-5567b000 r-xp 00000000 00:02 1030       /bin/busybox
>>>> 5568a000-5568b000 r-xp 0005d000 00:02 1030       /bin/busybox
>>>> 5568b000-5568c000 rwxp 0005e000 00:02 1030       /bin/busybox
>>>> 5568c000-5568d000 rwxp 00000000 00:00 0
>>>> 77e8e000-77eb0000 r-xp 00000000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb0000-77eb1000 r-xp 00012000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb1000-77eb2000 rwxp 00013000 00:02 331        /lib/libgcc_s.so.1
>>>> 77eb2000-77f46000 r-xp 00000000 00:02 329        /lib/libc.so
>>>> 77f55000-77f57000 rwxp 00093000 00:02 329        /lib/libc.so
>>>> 77f57000-77f59000 rwxp 00000000 00:00 0
>>>> 7fd1c000-7fd3d000 rw-p 00000000 00:00 0          [stack]
>>>> 7fefb000-7fefc000 r-xp 00000000 00:00 0
>>>> 7ff60000-7ff61000 r--p 00000000 00:00 0          [vvar]
>>>> 7ff61000-7ff62000 r-xp 00000000 00:00 0          [vdso]
>>>> root@OpenWrt:/#
>>>>
>>>> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
>>>> ---
>>>>
>>>> I would like to get some comments if we should activate PIE by default.
>>>> The advantage is that it will be harder to exploit OpenWrt, but on the 
>>>> other hand the binaries are getting bigger. We could also restrict this 
>>>> to some CPU types, but as targets share the binaries it is not really 
>>>> possible to do this based on the target.
>>>>
>>>> I am not sure if this should go into the next release or wait for later.
>>>>
>>>> This could also break some packages, as it is possible to activate PIE 
>>>> by default for some time many bugs are already fixed, but probably not 
>>>> all of them.
>>> I think this is a lot of extra bloat. Maybe we can add a restricted PIE
>>> mode where packages can opt-in individually?
>>
>> So we should probably make it a chose with 3 options:
>> 1. No PIE
>> 2. Use PIE for exposed binaries
>> 3. Use PIE for all binaries
> 
> I hate that we have to make choices like this for space reasons. Option
> 2 will help but means attackers will try to go after something else.

We could also make this depended n the architecture, I think device with
ARM64 or x86 CPU normally also have much RAM and flash, while many MIPS
based devices are constrained.

> By exposed, you mean "on the network", I guess? 

Yes with exposed applications I meant exposed from the network like
dnsmasq, dropbear and so on.

>> Then we need something in addition to the existing PKG_ASLR_PIE we
>> already have to deactivate it.
>>
>> Do we want a generic name like this:
>> PKG_CRITICAL
>> or something specific to PIE:
>> PKG_ASLR_PIE_PREFERED
>>
>> Hauke

Patch
diff mbox series

diff --git a/config/Config-build.in b/config/Config-build.in
index 6d749476db..2d8a9db74c 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -196,7 +196,7 @@  menu "Global build settings"
 		bool
 		prompt "User space ASLR PIE compilation"
 		select BUSYBOX_DEFAULT_PIE
-		default n
+		default y
 		help
 		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
 		  This enables package build as Position Independent Executables (PIE)