grsecurity forums

[ren]

I like the idea of protecting stack and program memory and adding unpredictability to attacks (PAX), but I'm worried about the performance impact and don't want the extra features provided by the Grsecurity patch.

Is there a recent bookmark of PAX on 64-bit CPUs?

The most recent I could find is by the author of Kguard but the numbers are not encouraging: https://www.usenix.org/system/files/con ... nal143.pdf

Thanks in advance.

[PaX Team]

i'm not sure i understood what you're after as the referenced paper has nothing to do with the userland protection features you said you cared about . as for the performance impact, it's best that you measure them yourself on your config&arch as different features have different impact. as for that paper, it's a bad one, when i tried out his gcc plugin (it didn't even compile as published, so i don't know what exactly he tested) it had much worse impact than the KERNEXEC plugin (which had already existed at the time but he ignored it for some reason and went instead for two PaX features that are not even comparable to his plugin).

[ren]

i'm not sure i understood what you're after as the referenced paper has nothing to do with the userland protection features you said you cared about

Basically I'd like to have PAX security but I don't want to affect system performance too much, that's why I asked about the performance hit (if any) on 64bit cpus.

The Kguard paper says, "The PaX-protected kernel exhibits a latency ranging between 5.6% and 257% (average 84.5%) on the x86, whereas on x86-64, the latency overhead ranges between 19% and 531% (average 172.2%)". OTOH the previous benchmarks by Pedro Venda (2005) at http://web.archive.org/web/200806120313 ... rformance/ seemed to favor 64 bit vs 32 bit (but then again, I'm not an expert and might have got it wrong, that's why I asked in the first place).

it's best that you measure them yourself on your config&arch as different features have different impact

Ok. Can you suggest a valid benchmarking tool? I'm more interested in simulating real-world performance rather than purely synthetic numbers. My system is Debian on Intel i7 (Haswell).

Thanks for your reply.

[PaX Team]

i still don't know what your target system does. is it a desktop? some server? embedded device? all of these can have very different performance targets and tradeoffs between security and performance, etc. the general rule of thumb is that measure the system as it'll be used, benchmarks are artificial and won't tell you the whole story. if you care about userland protections only then they're basically free (NX bit, ASLR), and the impact of the kernel self-protection features varies greatly (the worst ones are noted in the config help, so make sure you read it).

[ren]

It's a desktop system (laptop, typical desktop activity + software development + some multimedia/graphics). I'd like to enable ASLR, non-executable pages, segmentation-based implementation (the 1.5 gb limit is per application, right?), random tcp source ports, random ip ids.

[PaX Team]

SEGMEXEC is specific to i386, it doesn't exist (nor is it needed) on amd64, so don't worry about it.

[boos]

How can I test the performance impact on an ARM machine ? Do you have a benchmark tool or any suggestion to do that ?