On 05/22/2016 10:50 AM, Andrey Rahmatullin wrote:
> On Sun, May 22, 2016 at 10:41:56AM +0200, Christian Seiler wrote:
>> => however, -fPIC code is again slightly slower and
>> larger than -fPIE code.
> Really? I thought the idea is the same in both modes.
Ok, thinking about it again, if you use relro + bindnow, there will
probably be no difference anymore. (But PIC uses PLT when bindnow
is not used, whereas PIE never uses PLT.)
>> So in the end in boils down to the following:
>>
>> A. From a hardening perspective, any code that is added to
>> static libraries should be compiled with -fPIE if the static
>> library will only ever be used in executables, and with
>> -fPIC if it also might be used in shared libraries.
>> (Although, to be honest, that use case is a bit rarer.)
> This, of course, assumes all executables using that library will be
> compiled with -fPIE.
No. You can combine -fPIE code with non-PIE code into a non-PIE
executable:
a.c:
const char *hello = "Hello World";
const char **p_a() { return &hello; }
b.c:
const char **p_a();
const char *p_b() { return *p_a(); }
m.c:
#include <stdio.h>
const char *p_b();
int main() { puts(p_b()); return 0; }
gcc -Wall -fno-PIE -c -o a.o a.c
gcc -Wall -fPIE -c -o b.o b.c
gcc -Wall -fno-PIE -c -o m.o m.c
gcc -o m m.o a.o b.o
./m
Hello World
>> B. From a performance perspective, using non-PIC/PIE code is
>> faster, though not necessarily by much anymore.
> It was worth mentioning only for i386 anyway.
Well, there's not only amd64 and i386 - and some other platforms
also show some differences here. But as I said: I would recommend
to use PIE/PIC anyway.
Regards,
Christian
Attachment:
signature.asc
Description: OpenPGP digital signature