Position independent code
PaX implemented position
independent executable in August 2001, using the
ET_DYN type, but for binaries
instead of libraries.
Two years later, PIE support was added to GNU binutils, and Gentoo Hardened was already building all its packages as position independent code:
In 2003 Hardened Gentoo introduced an approach referred to as ‘
-y etdyn‘ which consisted of building all code with
-fPIC, and modifying the link stage to provide an
ET_DYNexecutable using a modified PIC version of
crt1.o, and setting the
interpheader to cause the executable to be loaded by the loader from glibc.
ET_DYNversions of the
crt1.oobject were created for x86, parisc, ppc and sparc.
Adamantix did the very same, also in 2003.
OpenBSD got PIE binaries support in November 2008 (OpenBSD 4.5) thanks to Kurt Miller, and they were enabled by default 4 years later, in August 2012 by Pascal Stumpf, in OpenBSD 5. He did a nice presentation at AsiaBSDCon 2015 about the whole process, with an accompanying paper.
Starting from iOS 4.3 (March 2011) and OS X 10.7 (July 2011), Apple enabled PIE support by default and started to issue warnings for binaries that weren’t PIE.
But the OpenBSD’s website says:
Position-independent executables (PIE): OpenBSD 5.3 was the first widely used operating system to enable it globally by default, on seven hardware platforms. Implemented in November 2008 by Kurt Miller and enabled by default by Pascal Stumpf in August 2012.
This statement is a bit misleading: OpenBSD was the first “widely used operating system” to enable PIE by default on 7 different CPU architecture, sure, but:
- I think that Gentoo Hardened and Adamantix were/are as much used as OpenBSD, and they did have PIE everywhere years before. And even if they don’t, Apple was the first one to enable PIE by default.
- Android was the first one to enable PIE by default on 6 different architectures (x86, amd64, arm7, arm5, mips32, mips64)
- Fedora was the first one to enable PIE by default on 8 different architectures and more.
This is an excellent mitigation, improving ASLR by not having the binary mapped at a fixed offset, and subject to the same threat model.