On 02/27/2011 08:03 AM, "Tóth Attila" wrote: > 2011.Február 27.(V) 13:54 időpontban Magnus Granberg ezt írta: >> On Sunday 27 February 2011 10.11.58 Ryan Hill wrote: >>> On Sun, 27 Feb 2011 09:20:57 +0100 >>> >>> klondike <franxisco1...@gmail.com> wrote: >>>> 2011/2/27 Ed W <li...@wildgooses.com>: >>>>> On 26/02/2011 18:01, Magnus Granberg wrote: >>>>>> If you have read the last meeting we will be removing the pic use >>> flag >>>>>> as default on in the hardened amd64 profile. We will start with the >>>>>> changes when >>>>>> the new structure to the profiles have settled down. >>>>> >>>>> Hi, any chance of a bit of background on this change? ie the "why" >>> and >>>>> some of the implications? >> >> Most of the asm code is in libs and on amd64 it need to be PIC friendly >> from >> the start. We don't need to disable asm code. We do that most times with >> the >> pic use flag on hardened profile. >> >> /Magnus > > I'm still running Hardened on x86. I'm thinking of the optimal time to > switch to amd64. Is it better from the security point of view? > I assume, that it's easier to make amd64 asm code PIC-aware because of the > higher number of available registers. > > Dw.
This is a loaded question. For many exploits it does not make a difference if you are on 64 or 32 bits. For some it does. An example of where it doesn't make a difference is a classic buffer overflow. An example of where it does is an attempt to defeat address space randomization by brute force. 32-bit address space is only 4G which is not impossibly large for success by brute force while 64-bits is about 10^19. A lot harder. And then, to complicate matters, 64-bit with 32-bit compat opens up yet another family of exploits, like the one Dan Rosenberg found a few months back which abused the way 32-bit syscalls were treated by 64-bit kernels with 32-bit compat. -- Anthony G. Basile, Ph.D. Gentoo Developer
