Ubuntu
libjpeg-turbo package

hardening -PIE flag

Asked by pawciobiel

Would it make sense to add `-fPIE -pie` build flag?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu libjpeg-turbo Edit question
Assignee:
No assignee Edit question
Solved by:
pawciobiel
Solved:
Last query:
Last reply:
Revision history for this message
daniel CURTIS (anoda) said : 		#1

Hello pawciobiel. It depends on many things, such as what application You would like to compile with PIE flag etc. There are some programs that can not build with PIE because of errors etc. You must know that PIE has a large (5-10%) performance penalty e.g. on x86 arch. (PIE on x86_64 compile without performance issues). So - in my opinion - PIE should only be used for a security-critical packages.

Ubuntu has some programs built as PIE: bind9, squid, firefox etc. Please check this page: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE

You can also be interested in: http://manpages.ubuntu.com/manpages/raring/man1/hardening-check.1.html It is a 'hardening-check' script for checking binaries for security hardening features etc.

Best regards.

Revision history for this message
pawciobiel (pawciobiel) said : 		#2

@anoda, do you know any that depend on libjpeg that would break if it would be PIE?

5-10% may be large for performance critical systems but not for desktops.

I know other systems like Fedora and BSD use PIE as standard, so I was wondering if there is any think that would stop us using it on libjpeg. Also please note that tiff is using PIE too.

Revision history for this message
daniel CURTIS (anoda) said : 		#3

Hi pawciobel. 5-10-% performance penalty could be much, especially if we talk about e.g. Firefox, LibreOfiice etc. From what I see 'libjpeg' is compiled with: -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wformat -Werror=format-security -Wl,-z,relro -fPIC security flags flags. Not so bad, right? So it is not so bad. Sorry, but i don't know any that depend on 'libjpeg' that would break PIE flag.

There is an interesting article about PIE (it worths reading): https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/

Best regards.

Revision history for this message
pawciobiel (pawciobiel) said : 		#4

Hi Daniel,

I was looking at this [1] buildlog and found CFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security" but the " -fstack-protector-strong" is not there.
The PIC is indeed used so it's not so bad, thanks.

I've also had a quick look at [2] but the stack-protector is not there either.

The reason I've asked the question was that I was a bit puzzled why compared with new Fedora `hardening-check` tool gives me different results...

Thanks for help.

[1] https://launchpadlibrarian.net/160226943/buildlog_ubuntu-trusty-amd64.libjpeg-turbo_1.3.0-0ubuntu2_UPLOADING.txt.gz
[2] https://launchpadlibrarian.net/214751266/buildlog_ubuntu-wily-amd64.libjpeg6b_1%3A6b2-2_BUILDING.txt.gz

Revision history for this message
pawciobiel (pawciobiel) said : 		#5

Thanks for pointing out PIC I think I somehow missed it.

Revision history for this message
daniel CURTIS (anoda) said : 		#6

Hi. '-fstack-protector-strong' is a new feature found in newest gcc and 'strong' variant can be found in libjpeg-turbo 1.4.2-0ubuntu2 version available in Xenial.

Build log for a i386 arch: https://launchpadlibrarian.net/233916878/buildlog_ubuntu-xenial-i386.libjpeg-turbo_1.4.2-0ubuntu2_BUILDING.txt.gz

Best regards.