This site is currently read-only as we are migrating to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 30th, when you will be able to use this site as normal.

    Forum Stats

  • 3,889,693 Users
  • 2,269,776 Discussions
  • 7,916,823 Comments

Discussions

Do I need -KPIC -DPIC and -ztype=pie for full ASLR support?

RaiderOfTheLostSPARC
RaiderOfTheLostSPARC Member Posts: 259 Blue Ribbon

Hi,

do I have to compile my programs with -KPIC -DPIC and -ztype=pie so that -zaslr=enable has any effect?

$ cc -KPIC -DPIC -ztype=pie -zaslr=enable helloworld.c

$ file a.out

a.out: ELF 32-bit LSB dynamic lib 80386 Version 1 [SSE], position-independent executable, dynamically linked, not stripped

Also it seems like nothing in the base OS is compiled with PIC/PIE, why is that so?

$ file /usr/bin/* | grep position

$ file /usr/sbin/* | grep position

$

RaiderOfTheLostSPARC

Best Answer

  • Ali Bahrami-Oracle
    Ali Bahrami-Oracle Member Posts: 7
    edited Jun 9, 2017 2:12PM Answer ✓

    The short answer is: Yes, you do.

    As you undoubtedly know, ASLR works by altering the mapped addresses of

    mapped objects.

    ASLR has always been able to work on the shared objects in a process, because

    shared objects are ET_DYN, built to be mapped at arbitrary addresses. Shared

    objects should always be built PIC, because otherwise, they end up containing code

    that needs to be fixed up at load time, imposing unnecessary startup costs.

    ASLR has traditionally not able to work on the main "a.out" object, because such

    objects were built as ET_EXEC, fixed to a known address.  The initial ASLR rollout

    was therefore not "full", because it ignored the a.out. Hence, the invention

    of PIE. PIE are "executables" built as ET_DYN, which can be mapped arbitrarily.

    With PIE, you can have "full ASLR"

    Hence, for "full ASLR", you need -ztype=PIE, and if you define "full" as also meaning

    "high quality", then you should also compile it as PIC.

    I'm not really sure what -DPIC does, if anything, so I'll leave that to a compiler expert

    to answer.

    If you were running the latest development bits, as I am, you'd see a

    different result:

        [email protected]% file /usr/bin/* | grep position | wc -l

        385

    These things take time to work through the pipeline, but you will eventually  see

    PIE in the system.

Answers

  • Ali Bahrami-Oracle
    Ali Bahrami-Oracle Member Posts: 7
    edited Jun 9, 2017 2:12PM Answer ✓

    The short answer is: Yes, you do.

    As you undoubtedly know, ASLR works by altering the mapped addresses of

    mapped objects.

    ASLR has always been able to work on the shared objects in a process, because

    shared objects are ET_DYN, built to be mapped at arbitrary addresses. Shared

    objects should always be built PIC, because otherwise, they end up containing code

    that needs to be fixed up at load time, imposing unnecessary startup costs.

    ASLR has traditionally not able to work on the main "a.out" object, because such

    objects were built as ET_EXEC, fixed to a known address.  The initial ASLR rollout

    was therefore not "full", because it ignored the a.out. Hence, the invention

    of PIE. PIE are "executables" built as ET_DYN, which can be mapped arbitrarily.

    With PIE, you can have "full ASLR"

    Hence, for "full ASLR", you need -ztype=PIE, and if you define "full" as also meaning

    "high quality", then you should also compile it as PIC.

    I'm not really sure what -DPIC does, if anything, so I'll leave that to a compiler expert

    to answer.

    If you were running the latest development bits, as I am, you'd see a

    different result:

        [email protected]% file /usr/bin/* | grep position | wc -l

        385

    These things take time to work through the pipeline, but you will eventually  see

    PIE in the system.

  • Steve.Clamage-Oracle
    Steve.Clamage-Oracle Oracle Studio C++ Project Lead Santa Clara, CA, USAMember Posts: 775
    edited Jun 9, 2017 2:20PM

    -DPIC is not needed by Studio compilers or by Solaris. An application might use a macro PIC for its own purposes.

    RaiderOfTheLostSPARC
  • Steve.Clamage-Oracle
    Steve.Clamage-Oracle Oracle Studio C++ Project Lead Santa Clara, CA, USAMember Posts: 775
    edited Jun 9, 2017 2:23PM

    On the current Solaris 11.3 bits, you can run

    $ elfdump -d /usr/bin/* /usr/sbin/* 2>&1 | grep SUNW_ASLR | grep -c ENABLE

    and see a large number of files that use ASLR. Shared libraries also use ASLR.

    RaiderOfTheLostSPARC
  • Alanc-Oracle
    Alanc-Oracle Oracle Solaris Engineering Santa Clara, California, USAMember Posts: 208 Employee
    edited Jun 9, 2017 5:01PM

    -DPIC does exactly what you'd expect, it #define's PIC, which is commonly used with inline assembly to choose between PIC & non-PIC versions, and because GNU autoconf defines it when building shared libraries, is sometimes used when code differs between shared & static libraries.  I'm not aware of anything in the core Solaris headers that checks for #ifdef PIC, but I wouldn't be surprised if some of our bundled FOSS libraries have such checks in headers your program may be including.

    RaiderOfTheLostSPARCRaiderOfTheLostSPARC
This discussion has been closed.