Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5730

enhance security using special compilation options

        Details

        • Type: Task
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Fix Version/s: 10.1.0
        • Component/s: None
        • Labels:
          None

          Description

          gcc/ld have different options that can make resulting binaries more secure against buffer/stack overflow exploits. RedHat uses most of them for distribution binaries. We need to analyze these options, understand the benefits and drawbacks, and possibly use them too in our builds.
          The (incomplete) list is

          -pie
-Wp,-D_FORTIFY_SOURCE=2
-fstack-protector --param=ssp-buffer-size=4
-Wl,-z,relro,-z,now

            Gliffy Diagrams

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. MDEV-6479 stack traces in 10.1

                • Major - Major loss of function.
                • Closed
                links to

                Web Link an article about RELRO

                Web Link Review of the patch

                  Activity

                  Ascending order - Click to sort in descending order
                  Hide
                  Permalink
                  serg Sergei Golubchik added a comment -

                  Axel Schwenke, could you please benchmark the effect of this patch? Thanks!

                  Show
                  serg Sergei Golubchik added a comment - Axel Schwenke , could you please benchmark the effect of this patch? Thanks!
                  Hide
                  Permalink
                  axel Axel Schwenke added a comment -

                  Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added.

                  There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1%

                  Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.

                  Show
                  axel Axel Schwenke added a comment - Attached two PDFs summarizing the results of sysbench OLTP. The tested server tree was MariaDB-10.0.12. Once compiled with default gcc flags, once with the "security" options added. There were 3 executions of each build, each delivering 20 data points (transactions per second, averaged over 3 second intervals). There is considerable noise on the data, both during a run and also between different runs of the same build. Still there is a visible difference between "default" and "security" builds of approximately 1% Each dot in the plots represents one data point. The lines and numbers represent the median of the values. The median was preferred over the average because it is more stable re. outliers.
                  Hide
                  Permalink
                  axel Axel Schwenke added a comment -

                  FTR, this are the changes to my build script

                  --- xl_build_new        2014-06-25 14:40:40.354214993 +0200
+++ xl_build_MDEV-5730  2014-06-25 14:40:33.154617307 +0200
@@ -5,5 +5,5 @@
 #CC=gcc
 #CXX=g++
-CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized"
+CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
 CXXFLAGS="$CFLAGS -felide-constructors"
                  Show
                  axel Axel Schwenke added a comment - FTR, this are the changes to my build script --- xl_build_new 2014-06-25 14:40:40.354214993 +0200 +++ xl_build_MDEV-5730 2014-06-25 14:40:33.154617307 +0200 @@ -5,5 +5,5 @@ #CC=gcc #CXX=g++ -CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized" +CFLAGS="-O3 -g -fno-omit-frame-pointer -fno-strict-aliasing -DNDEBUG -DDBUG_OFF -Wno-maybe-uninitialized -pie -fPIC -Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2" CXXFLAGS="$CFLAGS -felide-constructors"

                    People

                    • Assignee:
                      serg Sergei Golubchik
                      Reporter:
                      serg Sergei Golubchik
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      3 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Time Tracking

                        Estimated:
                        Original Estimate - 1 day Original Estimate - 1 day
                        1d
                        Remaining:
                        Remaining Estimate - 0 minutes
                        0m
                        Logged:
                        Time Spent - 1 day, 2 hours
                        1d 2h