Maintained by: NLnet Labs

[Unbound-users] Unbound release 1.4.12

Carsten Strotmann
Tue Jul 19 09:31:58 CEST 2011


On 7/18/11 10:26 PM, Gábor Lénárt wrote:
>> PIC-related slowdown is about 5% (or less) on x86 on my test
>> including both multimedia and crypto operations.
> And if I compile it "by hand" anyway, it can be
> called nice to eliminate this, even if it only gives 5% or even just
> 0.1% :)

There is a 'performance' vs. 'security' trade-off here. PIC/PIE
compiling has been introduced for a reason, it usually increases the
resilience against the damage done by certain attacks on security
vulnerabilities in code:

> PIE stands for 'Position Independent Executable' and describes a
> function where the operating system can load certain parts of the
> application at random positions inside the computers address space.
> In some attacks the attacker needs to know beforehand on which memory
> location a datastructure will be loaded (e.g. to jump into code that
> has been written using a buffer overflow). By having the operating
> system load the program code into different locations every time, the
> attacker cannot predict the memory location, which makes it harder to
> write a successful exploit.

http://blog.atariwiki.strotmann.de/roller/dnsworkshop/date/20110703

If you run Unbound in an untrusted network (e.g. Internet), having
Unbound PIC/PIE compiled might be a good idea from a security point of view.

-- Carsten