OPNsense Forum

English Forums => General Discussion => Topic started by: franco on May 25, 2016, 08:16:28 pm

Title: ASLR, PIE and the future of i386
Post by: franco on May 25, 2016, 08:16:28 pm
Hi all,

We all know how i386 has had its best years behind and now there's a big decision for us up ahead.

As you all know HardenedBSD has implemented their ASLR[1] for OPNsense, which brings the possibility of modern security measures into our operating system core. But ASLR by itself is not effective without PIE[2].

PIE allows programs to run in arbitrary address layouts, which is what ASLR provides the framework for. ASLR has virtually no performance impact. For amd64 architectures, enabling PIE does not have any drawbacks as well. For i386, however, the performance impact for additional security is around 12% according to Shawn from HardenedBSD, based on how the architecture was built, so that's not something to work around.

i386 is being abandoned step by step by projects, but we have been discussing options on how to keep i386 a functional part of (our OPNsense) world for multiple years to come. Ideally we will want to deliver a homogenous environment where all components and flavours of packages and images come with the same extent of quality. For that we want to enable PIE for all users in upcoming major releases (likely somewhere in Q3 or Q4 of this year).

So the question is this:

Would you mind a 12% performance impact on your i386 hardware for the sake of security and modernisation?


Cheers,
Franco

--
[1] https://en.wikipedia.org/wiki/Address_space_layout_randomization
[2] https://en.wikipedia.org/wiki/Position-independent_code

Title: Re: ASLR, PIE and the future of i386
Post by: bartjsmit on May 25, 2016, 09:08:27 pm
Very few people are going to face enough performance demand from an i386 firewall for 12% to matter and 64-bit alternatives are cheap and abundant. Even for the i386 edge case, there are plenty alternatives, not least older versions of OPNsense.

I am with Mr Spock - the needs of the many...

Bart...
Title: Re: ASLR, PIE and the future of i386
Post by: lattera on May 25, 2016, 10:08:40 pm
Hey All,

I just wanted to expound upon the i386 performance impact a little. The reason why Position-Independent Executable (PIE) support on i386 has a performance impact is due to the limited amount of CPU registers. The amd64 architecture has enough registers that it can dedicate one to use for the calculation of offsets. Since i386 is limited, it has to resolve symbols (functions, global variables, etc.) inefficiently. It cannot make use of a dedicated register for symbol offset calculations.

It's important to note that the 12% performance hit is a worst-case scenario. In some cases, the performance hit might be as low as 5%. The point is that you will definitely see a performance hit. This is not due to HardenedBSD or its ASLR implementation, but rather the underlying computer architecture. All operating systems, including Linux and Windows, will have a performance hit when running Position-Independent Code (PIC) on i386.

Which brings up another point: most of your applications will hit PIC. libc is a PIC library. All applications used within OPNsense depend on libc. The RTLD is a PIC library as well. (Fun fact: the RTLD relocates itself.) All dynamically-compiled applications rely on the RTLD.

Thanks,

Shawn Webb
Title: Re: ASLR, PIE and the future of i386
Post by: weust on May 25, 2016, 11:01:51 pm
Not an issue for me.

No doubt a lot of low end hardware used for routers is still i386-based, or ARM or MIPS, but it's also time to move on instead of sticking to the past.
Title: Re: ASLR, PIE and the future of i386
Post by: jstrebel on May 26, 2016, 03:50:45 pm
Does not make a lot of sense to support allmost 20 year old lot of energy consuming CPU's. For ~100E we will get a a board wich consumes 10€ per year. Most PC's consume a multiple of this



Gesendet von iPhone mit Tapatalk
Title: Re: ASLR, PIE and the future of i386
Post by: franco on June 04, 2016, 04:26:56 pm
I would have expected a little more resistance, but discussions on and off the forum seem to suggest that:

Yes, we want PIE for i386.

Let's do that then. :)
Title: Re: ASLR, PIE and the future of i386
Post by: yonas on June 04, 2016, 04:39:42 pm
Awesome :) I'm also in favour of PIE on i386.

I see this as an incentive to motivate people to use more modern hardware that's likely much more energy efficient.
Title: Re: ASLR, PIE and the future of i386
Post by: weust on June 04, 2016, 05:30:02 pm
@yonas, your reaction sounds odd to me.
First you want PIE for i386, then you want people to move on?
Title: Re: ASLR, PIE and the future of i386
Post by: yonas on June 06, 2016, 12:39:38 pm
@weust  Yes, it's like a "sin tax". The more expensive it becomes to use i386, the more incentive people have to stop using it.
Title: Re: ASLR, PIE and the future of i386
Post by: weust on June 06, 2016, 12:50:11 pm
Yeah, but as long as people keep developing for old stuff the longer it takes for developers to move on.
Hardware from the 80's is still supported in Linux, and no doubt BSD too, because people keep using it for whatever reason.
Title: Re: ASLR, PIE and the future of i386
Post by: yonas on June 06, 2016, 12:56:03 pm
Yeah, I have no problem with people wanting to run weird and exotic hardware, I just refer them to NetBSD :P

For most cases, like Franco mentioned, newer hardware should be encouraged instead of i386.
Title: Re: ASLR, PIE and the future of i386
Post by: weust on June 06, 2016, 12:59:53 pm
But to me it feels valuable resources, and especially time, is wasted.
Title: Re: ASLR, PIE and the future of i386
Post by: yonas on June 06, 2016, 01:07:44 pm
I hear you. In cases like this, it's good to conduct a poll of the user base, or analyze automated usage reports that can tell us how many OPNsense users run i386 vs amd64.

If a very low number of people still use i386, I'd recommend to stop supporting it. That way you can save developer time and energy, as you mentioned. However, it seems that the team has already pledged to support i386 for at least a few more years. I'm not sure exactly why.

@Franco Is there a thread where this was discussed?
Title: Re: ASLR, PIE and the future of i386
Post by: franco on June 06, 2016, 04:39:15 pm
People actively asked for it right after 15.1 came out. A bit overwhelming and shocking to hear "you really need i386 to be a viable project", but we went with it very shortly after the initial release.

Happy and quiet users since then... I would like to believe those same people are still here. :)

I can ask Ad to provide a user ratio on updates, but mind you these are not complete as you guys have a number of mirrors to choose from.
Title: Re: ASLR, PIE and the future of i386
Post by: franco on October 17, 2016, 07:32:23 am
Base PIE (position independent execution) is going to be flipped on in 16.7.7 in order to fully leverage ASLR. Testing showed no issues and i386 behaves fine.

We will carry i386 into 2017 for sure, re-evaluate after a fully supported 17.7 is out in July 2017.


Cheers,
Franco
Title: Re: ASLR, PIE and the future of i386
Post by: lattera on October 18, 2016, 03:08:44 am
It's important to note that this only enables PIE for applications in base. This does not enable PIE for applications installed via ports/pkg. I'm planning PIE enabled for ports for 17.1.