-
Enhancement
-
Resolution: Fixed
-
P3
-
15
-
b18
-
generic
-
linux
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8251895 | 11.0.10-oracle | Vaibhav Choudhary | P3 | Resolved | Fixed | b01 |
JDK-8252317 | 11.0.9-oracle | Vaibhav Choudhary | P3 | Resolved | Fixed | b06 |
JDK-8243407 | 11.0.8 | Matthias Baesken | P3 | Resolved | Fixed | b01 |
To improve binary hardening, we should enable full relro in the OpenJDK builds. Currently
our build settings enable only partial relro (they miss z,now).
See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
"Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow,
but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution."
See also :
https://wiki.debian.org/Hardening
Some documentations/blogs mention slight performance impact of full relro (for startup performance).
However my quick checks on an example Linux server show not much impact.
our build settings enable only partial relro (they miss z,now).
See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
"Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow,
but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution."
See also :
https://wiki.debian.org/Hardening
Some documentations/blogs mention slight performance impact of full relro (for startup performance).
However my quick checks on an example Linux server show not much impact.
- backported by
-
JDK-8243407 on linux set full relro in the linker flags
-
- Resolved
-
-
JDK-8251895 on linux set full relro in the linker flags
-
- Resolved
-
-
JDK-8252317 on linux set full relro in the linker flags
-
- Resolved
-