Position independent code
PaX implemented position
independent executable in August 2001, using the ET_DYN
type, but for binaries
instead of libraries.
Two years later, PIE support was added to GNU binutils, and Gentoo Hardened was already building all its packages as position independent code:
In 2003 Hardened Gentoo introduced an approach referred to as ‘
-y etdyn
’ which consisted of building all code with-fPIC
, and modifying the link stage to provide anET_DYN
executable using a modified PIC version ofcrt1.o
, and setting theinterp
header to cause the executable to be loaded by the loader from glibc.ET_DYN
versions of thecrt1.o
object were created for x86, parisc, ppc and sparc.
Adamantix did the very same, also in 2003.
In 2003, Fedora was shipping PIE binaries, and RHEL did the same the year after, as explained by Ulrich Drepper, but for critical/setuid/network-facing packages.
OpenBSD got PIE binaries support in November 2008 (OpenBSD 4.5) thanks to Kurt Miller, and they were enabled by default 4 years later, in August 2012 by Pascal Stumpf, in OpenBSD 5. He did a nice presentation at AsiaBSDCon 2015 about the whole process, with an accompanying paper.
Starting from iOS 4.3 (March 2011) and OS X 10.7 (July 2011), Apple enabled PIE support by default and started to issue warnings for binaries that weren’t PIE.
Android started to support PIE in Jelly Bean (4.1) in July 2012, and removed support for non-PIE in Lollipop (5.0) in April 2015.
Alpine Linux enabled PIE support by default in 2014, and Fedora 23 did it too in 2015
But the OpenBSD’s website says:
Position-independent executables (PIE): OpenBSD 5.3 was the first widely used operating system to enable it globally by default, on seven hardware platforms. Implemented in November 2008 by Kurt Miller and enabled by default by Pascal Stumpf in August 2012.
This statement is a bit misleading: OpenBSD was the first “widely used operating system” to enable PIE by default on 7 different CPU architecture, sure, but:
- I think that Gentoo Hardened and Adamantix were/are as much used as OpenBSD, and they did have PIE everywhere years before. And even if they don’t, Apple was the first one to enable PIE by default.
- Android was the first one to enable PIE by default on 6 different architectures (x86, amd64, arm7, arm5, mips32, mips64)
- Fedora was the first one to enable PIE by default on 8 different architectures and more.
This is an excellent mitigation, improving ASLR by not having the binary mapped at a fixed offset, and subject to the same threat model.