On Fri, Nov 29, 2019 at 5:09 PM <volf.to...@gmail.com> wrote: > > while looking into how alpine linux builds golang I've found that is patches > it to make -buildmode=pie the default. I've tried to find why. I've managed > to find this thread > > > https://groups.google.com/forum/#!searchin/golang-nuts/pie|sort:date/golang-nuts/Jd9tlNc6jUE/Z9ldF6vPEAAJ > > which seems to conclude that there is very little benefit to use pie in > golang. But then I found anothor thread (this time github ticket) > > https://github.com/golang/go/issues/35192 > > that decided to make pie default build mode for windows. If anyone would be > so kind to find some time, I have few questions: > > 1. Why just windows (and not linux)?
As you can see in the GitHub issue you cite, other Windows compilers reportedly default to PIE. The argument was that Go on Windows should act like other compilers on Windows. > 2. Is pie useful now even in go? (the first thread is from 2012-2014) PIE makes certain kinds of attacks on programs significantly more difficult. Those attacks must first find a bug in the program, typically an overflow of a buffer stored on the stack, which lets the attacker modify the stack in some way. If such a bug exists, using PIE makes it harder to exploit the bug. In Go it is very hard to write a program that contains such a bug, much much harder than it is in C. Therefore, I would say that PIE is much less important for Go than it is for C. But it is possible with a fair amount of work to write a Go program that contains such a bug. And Go programs can call C code, and it might be useful to use PIE to make it harder to exploit any bugs in that C code. So PIE is not completely useless for Go. > 3. Quote from > https://github.com/golang/go/issues/35192#issuecomment-548028186 : > > > The bug says ASLR but really this is just about making a > position-independent binary. There are other reasons to have one of those > besides ASLR. > > what are those reasons? PIE can be useful for systems like the memory sanitizer (https://github.com/google/sanitizers/wiki/MemorySanitizer) which need to allocate large amounts of memory, and need to know that the program can avoid the memory addresses that MSan wants. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcWtbn_Ysy%2BX0RwWntV0Z1j4F5BzUbk0x2aReQozdJCGtQ%40mail.gmail.com.
