[Security] PIE executables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Ubuntu should ship Position Independent Executables (PIEs). (See separate bug report for PIE randomization)
PIEs contain relocation information to allow the relocation of the main executable. In theory, the kernel can randomize a PIE with the mmap() base (as with libraries); see separate bug report for in-practice analysis.
Currently the kernel randomizes the stack base and mmap() base. The mmap() base covers libraries, file-backed mmap() segments (i.e. libraries), and anonymous data segments (including shared memory mappings IIRC). The heap should not contain code. This leaves the program executable.
In the case that the stack is executable (see #34131, #34132, #34129), a stack-based buffer overflow (stack smash) can pad the beginning of the attack with ASM commands such as 'inc %ecx' (A) or 'inc %edx' (B) and then clear these out at shellcode initialization (i.e. 'xor %ecx,%ecx'). The return address can use 'jmp %esp' to jump to the stack pointer address. Because of the non-fixed length and thus non-aligned nature of x86 assembly, such an instruction need not exist; an attacker only needs to find an executable memory page at a fixed address containing the word "0xFFE4"
PIEs need not be PIC. PIC has some positive and negative effects.
On the positive side, PIC will avoid .text relocations (TEXTRELs), which require mandatory access controls such as SELinux 'execmod' to allow a program to rewrite its own executable code; TEXTRELs also cause rewritten code to take up private (instead of shared) memory and take longer to load while the dynamic linker performs relocations.
On the negative side, x86 PIC code also executes slightly slower (x86-64 has special addressing so PIC doesn't matter); benchmarks show a 1% difference, while profiles done with oprofile show the time spent in the main executable as less than 0.02% in most programs EXCEPT Xorg which spends 5-8% of its time in its main executable. At times, people have claimed slowdowns of around 20% in special cases, particularly in a PHP benchmark on the PHP Apache module as PIC vs non-PIC.
Building PIEs can prove complex. Brandon Hale may have some specific knowledge in this area.
Also see bug #139436