Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8241996

on linux set full relro in the linker flags

    Details

    • Subcomponent:
    • Resolved In Build:
      b18
    • CPU:
      generic
    • OS:
      linux

      Backports

        Description

        To improve binary hardening, we should enable full relro in the OpenJDK builds. Currently
        our build settings enable only partial relro (they miss z,now).
        See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

        "Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow,
        but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution."

        See also :
        https://wiki.debian.org/Hardening

        Some documentations/blogs mention slight performance impact of full relro (for startup performance).
        However my quick checks on an example Linux server show not much impact.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mbaesken Matthias Baesken
                  Reporter:
                  mbaesken Matthias Baesken
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: