Re: When did Debian decide to enable PIE by default?
- Date: Thu, 10 Aug 2017 10:00:41 +0200
- From: <tomas@xxxxxxxxxx>
- Subject: Re: When did Debian decide to enable PIE by default?
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Aug 09, 2017 at 08:22:58PM -0400, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:52:26 慕 冬亮 wrote:
> > On 08/09/2017 10:48 AM, Gene Heskett wrote:
> > > On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> > >> Hi,
> > >>
> > >> 慕 冬亮 <mudongliangabcd@xxxxxxxxxxx> wrote:
> > >>> When does Debian Team, or Security Team decide to enable PIE by
> > >>> default?
> > >>
> > >> I guess it was one year ago. At least that's the dates one can see
> > >> on https://wiki.debian.org/Hardening/PIEByDefaultTransition
> > >
> > > Interesting Thomas, but what the heck is PIE? I know about PAE, but
> > > PIE? Whats it do? Searching the above wiki returned only this
> > > thread.
> > Please take a look at the following URL:
> > https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2
> Aha, another name for PIC, which I've only been writing code that uses it
> for 32 years. Also known as PCR, for Program Counter Relative. Such
> code can be loaded into memory and executed without any patching.
Not exactly. PIC is "position independent code". Shared libraries have
been compiled like that for a long time since (especially under 32 bits)
you never knew where was a hole in memory to mmap the library in.
PIE is "position independent executable": it's about using PIC in the
Executable -- since that's the first to map in, the whole (well, nearly)
address space is available, and there's no need to generate PIC. Since
(under Intel) PIC is a tad slower than non-PIC, well...
But thanks PIE you can map the executable itself into a random address
(ASLR), which makes it more difficult for an attacker to find useful
"tools" in the executable image.
> > It is a security feature which combines with ASLR to do full address
> > space randomization.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----