Re: When did Debian decide to enable PIE by default?

2017-08-12 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Aug 12, 2017 at 01:11:43PM +0200, Pascal Hambourg wrote:
> Le 10/08/2017 à 10:00, to...@tuxteam.de a écrit :

[...]

> >PIE is "position independent executable": it's about using PIC in the
> >Executable
> 
> Sorry, but I fail to see the difference.
> A shared library is executable, and the "code" in PIC is nothing but
> executable code, isn't it ?

The difference is in intention (both are ELF these days). /bin/ls is
an "executable", /lib/x86_64-linux-gnu/libc.so.6 is a lib (yes, this
one has an entry point, you can invoke it from the command line).

While enabling PIC for libs has been done for a long time (IIRC the
first motivator was limited address space under 32 bit) and always
seemed a Good Idea(TM), for the executables I think it's ASLR what
brought a motivation with it. But I might be wrong.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmPDAsACgkQBcgs9XrR2kbHewCdH//d0m1s14IIORFrqcGMs2DZ
KIwAn0TdaN6+D7uM5ce8EkMMcXvUj2Q6
=sZgI
-END PGP SIGNATURE-

Re: When did Debian decide to enable PIE by default?

2017-08-12 Thread Pascal Hambourg 

Le 10/08/2017 à 10:00, to...@tuxteam.de a écrit :


On Wed, Aug 09, 2017 at 08:22:58PM -0400, Gene Heskett wrote:


Aha, another name for PIC, which I've only been writing code that uses it
for 32 years. Also known as PCR, for Program Counter Relative.  Such
code can be loaded into memory and executed without any patching.


Not exactly. PIC is "position independent code". Shared libraries have
been compiled like that for a long time since (especially under 32 bits)
you never knew where was a hole in memory to mmap the library in.

PIE is "position independent executable": it's about using PIC in the
Executable


Sorry, but I fail to see the difference.
A shared library is executable, and the "code" in PIC is nothing but 
executable code, isn't it ?

Re: When did Debian decide to enable PIE by default?

2017-08-10 Thread 慕 冬亮 


On 08/09/2017 10:48 AM, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
>
>> Hi,
>>
>> 慕 冬亮  wrote:
>>> When does Debian Team, or Security Team decide to enable PIE by
>>> default?
>> I guess it was one year ago. At least that's the dates one can see on
>>https://wiki.debian.org/Hardening/PIEByDefaultTransition
>>
> Interesting Thomas, but what the heck is PIE?  I know about PAE, but PIE?
> Whats it do?  Searching the above wiki returned only this thread.
Please take a look at the following URL:

https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2B-.2B-_-fPIE_-pie.29

It is a security feature which combines with ASLR to do full address 
space randomization.
> Thanks, you too.
>> Have a nice day :)
>>
>> Thomas
>
> Cheers, Gene Heskett

-- 

---
My best regards to you.

  No System Is Safe!
  Dongliang Mu

Re: When did Debian decide to enable PIE by default?

2017-08-10 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Aug 09, 2017 at 08:22:58PM -0400, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:52:26 慕 冬亮 wrote:
> 
> > On 08/09/2017 10:48 AM, Gene Heskett wrote:
> > > On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> > >> Hi,
> > >>
> > >> 慕 冬亮  wrote:
> > >>> When does Debian Team, or Security Team decide to enable PIE by
> > >>> default?
> > >>
> > >> I guess it was one year ago. At least that's the dates one can see
> > >> on https://wiki.debian.org/Hardening/PIEByDefaultTransition
> > >
> > > Interesting Thomas, but what the heck is PIE?  I know about PAE, but
> > > PIE? Whats it do?  Searching the above wiki returned only this
> > > thread.
> >
> > Please take a look at the following URL:
> >
> > https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2
> >B-.2B-_-fPIE_-pie.29
> >
> Aha, another name for PIC, which I've only been writing code that uses it 
> for 32 years. Also known as PCR, for Program Counter Relative.  Such 
> code can be loaded into memory and executed without any patching.

Not exactly. PIC is "position independent code". Shared libraries have
been compiled like that for a long time since (especially under 32 bits)
you never knew where was a hole in memory to mmap the library in.

PIE is "position independent executable": it's about using PIC in the
Executable -- since that's the first to map in, the whole (well, nearly)
address space is available, and there's no need to generate PIC. Since
(under Intel) PIC is a tad slower than non-PIC, well...

But thanks PIE you can map the executable itself into a random address
(ASLR), which makes it more difficult for an attacker to find useful
"tools" in the executable image.

> > It is a security feature which combines with ASLR to do full address
> > space randomization.

Yes.

Cheers
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmMEqkACgkQBcgs9XrR2kasngCeI49Xp+FPFo34Uy7FXvro2Vzq
+VMAn1QCl0A+qu/5PK9hua7Hp8q8ZJP7
=KyAN
-END PGP SIGNATURE-

Re: When did Debian decide to enable PIE by default?

2017-08-10 Thread tomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Aug 09, 2017 at 02:49:06PM +, 慕 冬亮 wrote:
> 
> 
> On 08/09/2017 10:31 AM, Thomas Schmitt wrote:
> > Hi,
> >
> > 慕 冬亮  wrote:
> >> When does Debian Team, or Security Team decide to enable PIE by default?
> > I guess it was one year ago. At least that's the dates one can see on
> >https://wiki.debian.org/Hardening/PIEByDefaultTransition
> Such a good news for me, a student learning information security. 
> However, I have a doubt, why does Debian enable PIE by default, other 
> than stack protector and FORTIFY_SOURCE that are already enabled by 
> default in the Ubuntu distribution?
> 
> I think stack protector(FORTIFY_SOURCE) has less overhead than PIE.

As far as I understand, stack protection and/or FORTIFY_SOURCE are
about protecting from buffer overflows. Stack protection sounds
pretty generic, in the case of FORTIFY_SOURCE, it's the compiler
doing extra compile-time checks (when possible) and inserting extra
run-time check code.

PIE isn't a security measure in itself -- it just allows such code
to be dynamically mapped at any address. But it enables address space
layout randomisation [1], which isn't a security measure in itself
either, but a *mitigation* technique: if an attacker has already
managed to take control of your program counter (e.g. by rewriting
a return address... possibly via a stack overflow, see above), you
make his/her life harder by not putting (potentially useful) code
at a place (s)he knows how to find.

It's like putting a chair in a dark room. Of course you should
try to make your door and lock as secure as possible. But just
in case...

>   No System Is Safe!

exactly :-)

Cheers
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlmMERMACgkQBcgs9XrR2kantACfXjHdLt0pWUu3sV6sui/8SB4F
J7UAnR0WzXmHw2WETK9UddYeHTjmc1u/
=MhEm
-END PGP SIGNATURE-

Re: When did Debian decide to enable PIE by default?

2017-08-10 Thread Joe 
On Wed, 9 Aug 2017 20:45:06 -0400
Gene Heskett  wrote:


> >  
> It is NOT a new invention by any means. Motorola's micro-processor in
> the first TRS-80 Color Computer, the MC6809E in the early 1980's was
> built with that in mind.  And I've been writing assembly code that
> used it ever since.
> 
> So its only new to the wintel scene. :)  I assume moto's patents had
> to expire before anybody else could use it.

And it wasn't new to microprocessors. The DG Nova was using it rather
earlier, and I assume the PDPs had it. And so on...

http://users.rcn.com/crfriend/museum/doco/DG/Nova/base-instr.html

-- 
Joe

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Gene Heskett 
On Wednesday 09 August 2017 12:43:14 Thomas Schmitt wrote:

> Hi,
>
> Gene Heskett wrote:
> > > what the heck is PIE?
>
> Dan Ritter and others wrote:
> > https://en.wikipedia.org/wiki/Position-independent_code
>
> It seems to have caused only moderate trouble.
> Insofar it did not cause such a spectacular echo as other novelties
> and strategic decisions.
>
> 慕 冬亮  wrote:
> > why does Debian enable PIE by default, other
> > than stack protector and FORTIFY_SOURCE that are already enabled by
> > default in the Ubuntu distribution?
>
> All i know is what i learned during research for the question a few
> days ago, why Debian 9 was slower than Debian 8:
>   https://lists.debian.org/debian-user/2017/08/msg00051.html
> (It would be nice to learn if any new insight came to Alexandru
> Iancu.)
>
> If there remain particular technical questions after following all
> links and some sub-links of
>   https://wiki.debian.org/Hardening/PIEByDefaultTransition
> i would possibly ask on debian-devel mailing list, whether there is
> more info available about the motivation and constraints of Debian's
> decision.
>
It is NOT a new invention by any means. Motorola's micro-processor in the 
first TRS-80 Color Computer, the MC6809E in the early 1980's was built 
with that in mind.  And I've been writing assembly code that used it 
ever since.

So its only new to the wintel scene. :)  I assume moto's patents had to 
expire before anybody else could use it.  Although, moto did allow 
Hitachi to "clone it' in cmos, but Hitachi had to promise to never, ever 
admit it was anything but a clone. But Hitachi had some pretty clever 
people, so the various nooks and cranny's in the instruction map that 
were blank in the motorola version, were filled in, making it 
considerably more orthogonal, and despite having an 8 bit data bus, 
actually has some 32 bit operations, like a 16 bit into 32 bit divide in 
39 clocks maximum.  Or a 16x16 bit mull in 25 clocks.  Taking full 
advantage of all that, the formerly called os9 operating system, now 
community maintained as Nitros9, is about 150% faster at the same clock 
speed as that same socket was driven at in the 1983 or 84 time frame. I 
had a hand in converting one of its code modules myself.

> Have a nice day :)
>
> Thomas


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Gene Heskett 
On Wednesday 09 August 2017 10:52:26 慕 冬亮 wrote:

> On 08/09/2017 10:48 AM, Gene Heskett wrote:
> > On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> >> Hi,
> >>
> >> 慕 冬亮  wrote:
> >>> When does Debian Team, or Security Team decide to enable PIE by
> >>> default?
> >>
> >> I guess it was one year ago. At least that's the dates one can see
> >> on https://wiki.debian.org/Hardening/PIEByDefaultTransition
> >
> > Interesting Thomas, but what the heck is PIE?  I know about PAE, but
> > PIE? Whats it do?  Searching the above wiki returned only this
> > thread.
>
> Please take a look at the following URL:
>
> https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2Fg.2
>B-.2B-_-fPIE_-pie.29
>
Aha, another name for PIC, which I've only been writing code that uses it 
for 32 years. Also known as PCR, for Program Counter Relative.  Such 
code can be loaded into memory and executed without any patching.

> It is a security feature which combines with ASLR to do full address
> space randomization.
>
> > Thanks, you too.
> >
> >> Have a nice day :)
> >>
> >> Thomas
> >
> > Cheers, Gene Heskett


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread 慕 冬亮 


On 08/09/2017 10:31 AM, Thomas Schmitt wrote:
> Hi,
>
> 慕 冬亮  wrote:
>> When does Debian Team, or Security Team decide to enable PIE by default?
> I guess it was one year ago. At least that's the dates one can see on
>https://wiki.debian.org/Hardening/PIEByDefaultTransition
Such a good news for me, a student learning information security. 
However, I have a doubt, why does Debian enable PIE by default, other 
than stack protector and FORTIFY_SOURCE that are already enabled by 
default in the Ubuntu distribution?

I think stack protector(FORTIFY_SOURCE) has less overhead than PIE.

>
> Have a nice day :)
>
> Thomas
>

-- 

---
My best regards to you.

  No System Is Safe!
  Dongliang Mu

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Pascal Hambourg 

Le 09/08/2017 à 17:05, Dan Ritter a écrit :

On Wed, Aug 09, 2017 at 10:48:24AM -0400, Gene Heskett wrote:


Interesting Thomas, but what the heck is PIE?


It is explained in the link posted by Thomas.


It's a security measure.


No, PIE is not a security measure per se. It just allows to map an run 
the executable code anywhere in the address space instead of at a fixed 
location, which is useful for shared libraries for example. This feature 
is also used by Address Space Layout Randomization, which is a security 
measure.

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Thomas Schmitt 
Hi,

Gene Heskett wrote:
> > what the heck is PIE?

Dan Ritter and others wrote:
> https://en.wikipedia.org/wiki/Position-independent_code

It seems to have caused only moderate trouble.
Insofar it did not cause such a spectacular echo as other novelties and
strategic decisions.


慕 冬亮  wrote:
> why does Debian enable PIE by default, other 
> than stack protector and FORTIFY_SOURCE that are already enabled by 
> default in the Ubuntu distribution?

All i know is what i learned during research for the question a few days
ago, why Debian 9 was slower than Debian 8:
  https://lists.debian.org/debian-user/2017/08/msg00051.html
(It would be nice to learn if any new insight came to Alexandru Iancu.)

If there remain particular technical questions after following all links
and some sub-links of
  https://wiki.debian.org/Hardening/PIEByDefaultTransition
i would possibly ask on debian-devel mailing list, whether there is more
info available about the motivation and constraints of Debian's decision.


Have a nice day :)

Thomas

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Tony van der Hoff 
On 09/08/17 15:48, Gene Heskett wrote:
> Interesting Thomas, but what the heck is PIE?  I know about PAE, but PIE?  
> Whats it do?  Searching the above wiki returned only this thread.
>
> Thanks, you too.
>> Have a nice day :)
>>
>> Thomas
>
> Cheers, Gene Heskett

Position-independent executable:

https://en.wikipedia.org/wiki/Position-independent_code

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Dan Ritter 
On Wed, Aug 09, 2017 at 10:48:24AM -0400, Gene Heskett wrote:
> On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:
> 
> > Hi,
> >
> > 慕 冬亮  wrote:
> > > When does Debian Team, or Security Team decide to enable PIE by
> > > default?
> >
> > I guess it was one year ago. At least that's the dates one can see on
> >   https://wiki.debian.org/Hardening/PIEByDefaultTransition
> >
> Interesting Thomas, but what the heck is PIE?  I know about PAE, but PIE?  
> Whats it do?  Searching the above wiki returned only this thread.
> 

https://en.wikipedia.org/wiki/Position-independent_code

It's a security measure.

-dsr-

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Gene Heskett 
On Wednesday 09 August 2017 10:31:48 Thomas Schmitt wrote:

> Hi,
>
> 慕 冬亮  wrote:
> > When does Debian Team, or Security Team decide to enable PIE by
> > default?
>
> I guess it was one year ago. At least that's the dates one can see on
>   https://wiki.debian.org/Hardening/PIEByDefaultTransition
>
Interesting Thomas, but what the heck is PIE?  I know about PAE, but PIE?  
Whats it do?  Searching the above wiki returned only this thread.

Thanks, you too.
>
> Have a nice day :)
>
> Thomas


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page

Re: When did Debian decide to enable PIE by default?

2017-08-09 Thread Thomas Schmitt 
Hi,

慕 冬亮  wrote:
> When does Debian Team, or Security Team decide to enable PIE by default?

I guess it was one year ago. At least that's the dates one can see on
  https://wiki.debian.org/Hardening/PIEByDefaultTransition


Have a nice day :)

Thomas