Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5730

enhance security using special compilation options

Details

    • Task
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.1.0
    • None
    • None

    Description

      gcc/ld have different options that can make resulting binaries more secure against buffer/stack overflow exploits. RedHat uses most of them for distribution binaries. We need to analyze these options, understand the benefits and drawbacks, and possibly use them too in our builds.
      The (incomplete) list is

      -pie
      -Wp,-D_FORTIFY_SOURCE=2
      -fstack-protector --param=ssp-buffer-size=4
      -Wl,-z,relro,-z,now

      Attachments

        Issue Links

          Activity

            axel, could you please benchmark the effect of this patch? Thanks!

            serg Sergei Golubchik added a comment - axel , could you please benchmark the effect of this patch? Thanks!
            axel Axel Schwenke added a comment -

            Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added.

            There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1%

            Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.

            axel Axel Schwenke added a comment - Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added. There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1% Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.
            axel Axel Schwenke added a comment -

            FTR, this are the changes to my build script

            --- xl_build_new        2014-06-25 14:40:40.354214993 +0200
            +++ xl_build_MDEV-5730  2014-06-25 14:40:33.154617307 +0200
            @@ -5,5 +5,5 @@
             #CC=gcc
             #CXX=g++
            -CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized"
            +CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
             CXXFLAGS="$CFLAGS -felide-constructors"
             

            axel Axel Schwenke added a comment - FTR, this are the changes to my build script --- xl_build_new 2014-06-25 14:40:40.354214993 +0200 +++ xl_build_MDEV-5730 2014-06-25 14:40:33.154617307 +0200 @@ -5,5 +5,5 @@ #CC=gcc #CXX=g++ -CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized" +CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2" CXXFLAGS="$CFLAGS -felide-constructors"

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.