Re: When did Debian decide to enable PIE by default?

To: debian-user@lists.debian.org
Subject: Re: When did Debian decide to enable PIE by default?
From: <tomas@tuxteam.de>
Date: Thu, 10 Aug 2017 10:00:41 +0200
Message-id: <[🔎] 20170810080041.GC30529@tuxteam.de>
In-reply-to: <[🔎] 201708092022.58464.gheskett@shentel.net>
References: <[🔎] DM5PR12MB19005B1179B5C8F643461FAFBC8A0@DM5PR12MB1900.namprd12.prod.outlook.com> <[🔎] 201708091048.24601.gheskett@shentel.net> <[🔎] DM5PR12MB19005B8AEDD70FA8BF414839BC8B0@DM5PR12MB1900.namprd12.prod.outlook.com> <[🔎] 201708092022.58464.gheskett@shentel.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Aug 09, 2017 at 08:22:58PM -0400, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:52:26 慕 冬亮 wrote:
> 
> > On 08/09/2017 10:48 AM, Gene Heskett wrote:
> > > On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> > >> Hi,
> > >>
> > >> 慕 冬亮 <mudongliangabcd@hotmail.com> wrote:
> > >>> When does Debian Team, or Security Team decide to enable PIE by
> > >>> default?
> > >>
> > >> I guess it was one year ago. At least that's the dates one can see
> > >> on https://wiki.debian.org/Hardening/PIEByDefaultTransition
> > >
> > > Interesting Thomas, but what the heck is PIE?  I know about PAE, but
> > > PIE? Whats it do?  Searching the above wiki returned only this
> > > thread.
> >
> > Please take a look at the following URL:
> >
> > https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2
> >B-.2B-_-fPIE_-pie.29
> >
> Aha, another name for PIC, which I've only been writing code that uses it 
> for 32 years. Also known as PCR, for Program Counter Relative.  Such 
> code can be loaded into memory and executed without any patching.

Not exactly. PIC is "position independent code". Shared libraries have
been compiled like that for a long time since (especially under 32 bits)
you never knew where was a hole in memory to mmap the library in.

PIE is "position independent executable": it's about using PIC in the
Executable -- since that's the first to map in, the whole (well, nearly)
address space is available, and there's no need to generate PIC. Since
(under Intel) PIC is a tad slower than non-PIC, well...

But thanks PIE you can map the executable itself into a random address
(ASLR), which makes it more difficult for an attacker to find useful
"tools" in the executable image.

> > It is a security feature which combines with ASLR to do full address
> > space randomization.

Yes.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmMEqkACgkQBcgs9XrR2kasngCeI49Xp+FPFo34Uy7FXvro2Vzq
+VMAn1QCl0A+qu/5PK9hua7Hp8q8ZJP7
=KyAN
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: When did Debian decide to enable PIE by default?
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- When did Debian decide to enable PIE by default?
  - From: 慕冬亮 <mudongliangabcd@hotmail.com>
- Re: When did Debian decide to enable PIE by default?
  - From: Gene Heskett <gheskett@shentel.net>
- Re: When did Debian decide to enable PIE by default?
  - From: 慕冬亮 <mudongliangabcd@hotmail.com>
- Re: When did Debian decide to enable PIE by default?
  - From: Gene Heskett <gheskett@shentel.net>

Prev by Date: Re: When did Debian decide to enable PIE by default?
Next by Date: Re: Laser Printer recommendation...
Previous by thread: Re: When did Debian decide to enable PIE by default?
Next by thread: Re: When did Debian decide to enable PIE by default?
Index(es):
- Date
- Thread