Fedora 20 Will Have A Security/Performance Change

Written by Michael Larabel in Fedora on 26 June 2013 at 03:48 PM EDT. 4 Comments
FEDORA
With Fedora 19 being released soon, the Fedora Engineering and Steering Committee has begun evaluating potential changes/features for Fedora 20. One of the features that was approved today is a build change for the RPMs that can yield greater code security but at the potential cost of performance.

The change that was approved today is a GCC flag change for now using "-fstack-protector-strong" on building Fedora RPM packages rather than just the "-fstack-protector" argument. The -fstack-protector flag has the compiler generate extra code automatically to check for buffer overflows. If a guard check fails -- meaning a potential buffer overflow occurred within the application -- there's an error message and the program exits. Fedora has been using -fstack-protector but now they are looking to use -fstack-protector-strong.

The strong fstack-protector came out of Google and was committed last year to the GNU Compiler Collection. The -fstack-protector-strong is a middle ground between the simple fstack-protector and fstack-protector-all, which is the greatest level of stack protection but can cost in run-time performance. Google suffered from a performance penalty when using fstack-protector-all for Chrome OS, so they devised fstack-protector-strong as a nice balance between the two existing commands.

When it was published last year, Google had been using it with Chromium OS already for a period of two years and didn't find any security problems.

Fedora 20 will now build with fstack-protector-strong to provide for greater stack protection over their simple fstack-protector they had been using, but aren't leaping to fstack-protector-all.

While this has the potential for slightly decreasing the performance, if there are performance regressions to be found, a reversion could take place prior to the mass rebuild for the Fedora 20 release. The details of this change were shared in today's FESCo meeting minutes.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week