RFR: 8241996: on linux set full relro in the linker flags

Baesken, Matthias matthias.baesken at sap.com
Wed Apr 1 13:35:12 UTC 2020 

Hello, please review this binary hardening related change.

To improve binary hardening, we should enable full relro in the OpenJDK builds. Currently
our build settings enable only partial relro (they miss z,now).
See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

"Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow,
but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution."

See also :
https://wiki.debian.org/Hardening

Some documentations/blogs mention slight performance impact of full relro (for startup performance) .

My quick checks on an example Linux server show not much impact (checked on linux x86_64) .
1)time on a   java HelloWorld  varies   (for both a patched and  unpatched  JDK)    between 0,6 and 0,7 seconds  ;
2) perf - runs on a java HelloWorld   show  a bit less  cycles (not clear why) but more  instructions :


> "normal  JVM" :

>         185,085,660      cycles                    #    2.424 GHz                      ( +-  0.54% )  (83.18%)

>         128,415,594      stalled-cycles-frontend   #   69.38% frontend cycles idle     ( +-  0.80% )  (80.98%)

>          84,990,433      stalled-cycles-backend    #   45.92% backend  cycles idle     ( +-  1.78% )  (65.38%)

>         102,950,894      instructions              #    0.56  insns per cycle

>                                                    #    1.25  stalled cycles per insn  ( +-  1.48% )  (86.90%)

>

> Changed JVM with z,now  set :

>

>         182,514,813      cycles                    #    2.394 GHz                      ( +-  0.58% )  (80.14%)

>         126,879,112      stalled-cycles-frontend   #   69.52% frontend cycles idle     ( +-  0.81% )  (81.24%)

>          82,691,295      stalled-cycles-backend    #   45.31% backend  cycles idle     ( +-  1.72% )  (69.16%)

>         103,958,399      instructions              #    0.57  insns per cycle

>                                                    #    1.22  stalled cycles per insn  ( +-  1.21% )  (89.47%)


Bug/webrev :

https://bugs.openjdk.java.net/browse/JDK-8241996

http://cr.openjdk.java.net/~mbaesken/webrevs/8241996.0/


Best regards, Matthias

More information about the hotspot-dev mailing list