[MDEV-5730] enhance security using special compilation options Created: 2014-02-25 Updated: 2014-07-23 Resolved: 2014-06-26 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | None |
| Fix Version/s: | 10.1.0 |
| Type: | Task | Priority: | Major |
| Reporter: | Sergei Golubchik | Assignee: | Sergei Golubchik |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Attachments: |
graph.ro.pdf
graph.rw.pdf
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
gcc/ld have different options that can make resulting binaries more secure against buffer/stack overflow exploits. RedHat uses most of them for distribution binaries. We need to analyze these options, understand the benefits and drawbacks, and possibly use them too in our builds.
|
| Comments |
| Comment by Sergei Golubchik [ 2014-06-24 ] | |||||||||
|
axel, could you please benchmark the effect of this patch? Thanks! | |||||||||
| Comment by Axel Schwenke [ 2014-06-25 ] | |||||||||
|
Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added. There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1% Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers. | |||||||||
| Comment by Axel Schwenke [ 2014-06-25 ] | |||||||||
|
FTR, this are the changes to my build script
|