Thursday, September 4, 2008

The -fPIE is a lie. Part 1

For those playing along at home, I've been working with Kees Cook (from Canonical), on investigating the possibility of generating Position Independent Executables for the AMD64 architecture which would greatly help increase security for Ubuntu.

Position independent code roughly means that there are no hard coded addresses in the binary, making a return-to-libc attack near impossible when combined with address space randomization, a technique that causes binaries and libraries to be loaded in random locations in memory. The upshot is that on 64-bit systems, even if a buffer overflow or other programming bug makes it possible to override the stack, a return-to-libc attack can't be done due to the randomized address space. Stack smashs and buffer overflows are of course properly avoided alrady in Ubuntu due to the stack protector.

Now some people may be wondering why we're not doing this for x86. The reason is that there is a price to be paid by PIE code and that is that a register must be used to handle the locations and relative jumps in the executable. x86 has very few general purpose registers that could be used for this, and thus has a rather large cost. Architectures such as ia64, amd64, powerpc, and sparc have more than enough general registers to make the change fessiable without aversily affecting performance.

Currently, I'm working on building a base chroot completely PIE enabled, and then rebootstrapping Ubuntu from scratch, a laborous, but hopefully successful attempt at rebuilding the archive with PIE.

No comments: