Web lists-archives.com

Re: When did Debian decide to enable PIE by default?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Aug 09, 2017 at 08:22:58PM -0400, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:52:26 慕 冬亮 wrote:
> 
> > On 08/09/2017 10:48 AM, Gene Heskett wrote:
> > > On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> > >> Hi,
> > >>
> > >> 慕 冬亮 <mudongliangabcd@xxxxxxxxxxx> wrote:
> > >>> When does Debian Team, or Security Team decide to enable PIE by
> > >>> default?
> > >>
> > >> I guess it was one year ago. At least that's the dates one can see
> > >> on https://wiki.debian.org/Hardening/PIEByDefaultTransition
> > >
> > > Interesting Thomas, but what the heck is PIE?  I know about PAE, but
> > > PIE? Whats it do?  Searching the above wiki returned only this
> > > thread.
> >
> > Please take a look at the following URL:
> >
> > https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2
> >B-.2B-_-fPIE_-pie.29
> >
> Aha, another name for PIC, which I've only been writing code that uses it 
> for 32 years. Also known as PCR, for Program Counter Relative.  Such 
> code can be loaded into memory and executed without any patching.

Not exactly. PIC is "position independent code". Shared libraries have
been compiled like that for a long time since (especially under 32 bits)
you never knew where was a hole in memory to mmap the library in.

PIE is "position independent executable": it's about using PIC in the
Executable -- since that's the first to map in, the whole (well, nearly)
address space is available, and there's no need to generate PIC. Since
(under Intel) PIC is a tad slower than non-PIC, well...

But thanks PIE you can map the executable itself into a random address
(ASLR), which makes it more difficult for an attacker to find useful
"tools" in the executable image.

> > It is a security feature which combines with ASLR to do full address
> > space randomization.

Yes.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmMEqkACgkQBcgs9XrR2kasngCeI49Xp+FPFo34Uy7FXvro2Vzq
+VMAn1QCl0A+qu/5PK9hua7Hp8q8ZJP7
=KyAN
-----END PGP SIGNATURE-----