Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
Description
gcc/ld have different options that can make resulting binaries more secure against buffer/stack overflow exploits. RedHat uses most of them for distribution binaries. We need to analyze these options, understand the benefits and drawbacks, and possibly use them too in our builds.
The (incomplete) list is
-pie
|
-Wp,-D_FORTIFY_SOURCE=2
|
-fstack-protector --param=ssp-buffer-size=4
|
-Wl,-z,relro,-z,now
|
Attachments
Issue Links
- relates to
-
MDEV-6479 stack traces in 10.1
-
- Closed
-
- links to
Activity
Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added.
There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1%
Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.
FTR, this are the changes to my build script
--- xl_build_new 2014-06-25 14:40:40.354214993 +0200
|
+++ xl_build_MDEV-5730 2014-06-25 14:40:33.154617307 +0200
|
@@ -5,5 +5,5 @@
|
#CC=gcc
|
#CXX=g++
|
-CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized"
|
+CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
|
CXXFLAGS="$CFLAGS -felide-constructors"
|
|
axel, could you please benchmark the effect of this patch? Thanks!