Re: Vendor adoption of PIE INFO#934476 oss-security

[Nick Kralevich <nnk () google com>]

On Fri, Mar 13, 2015 at 10:19 AM, Daniel Micay <danielmicay () gmail com> wrote:
> On 13/03/15 11:05 AM, Solar Designer wrote:
> > On Thu, Mar 12, 2015 at 08:31:42PM -0700, Nick Kralevich wrote:
> > > I wanted to provide a followup on this year-old thread.
> >
> > Thank you!
> >
> > > With the release of Android 5.0, Android has removed support for
> > > non-PIE binaries [1] [2]. Attempting to run a non-PIE binary will
> > > generate an error on Android. In this way, we ensure that all binaries
> > > take full advantage of Android's ASLR implementation.
> > >
> > > This is just one of the many security enhancements added in Android
> > > 5.*, and one that I hope other Linux distributions will pick up.
> > >
> > > [1] https://source.android.com/devices/tech/security/enhancements/enhancements50.html
> > > [2] https://android.googlesource.com/platform/bionic/+/76e289c026f11126fc88841b3019fd5bb419bb67
>
> Sadly, PIE is much less useful on Android right now. Every app and many
> services are spawned from an initial zygote process without an exec, so
> nearly everything has the same ASLR bases. It is great to see progress
> in this space though. I hope to see the zygote process go away now that
> ART and modern hardware makes it much less necessary - especially if a
> process (or a pool) is pre-spawned during idle time.
>
> AFAIK, the change forbidding non-PIE binaries was backed out for the
> official 5.0 release
> (https://android.googlesource.com/platform/bionic/+/d81b3b275dff99561cbe5905ca63a1c72fa54a17).
> I guess that was fixed in 5.1? I haven't looked into it yet.

You are getting the dates of your patches out of order. There were
three patches submitted in the following order:

2014-05-08: Remove support for non-PIE executables
https://android.googlesource.com/platform/bionic/+/2aebf5429bb1241a3298b5b642d38f73124c2026

2014-06-19: Reenable support for non-PIE executables
https://android.googlesource.com/platform/bionic/+/d81b3b275dff99561cbe5905ca63a1c72fa54a17

2014-07-03: Revert "Reenable support for non-PIE executables"
https://android.googlesource.com/platform/bionic/+/76e289c026f11126fc88841b3019fd5bb419bb67

The last patch is definitely in Android 5.0, and was never backed out.

  ~/aosp/bionic/linker$ git tag --contains
76e289c026f11126fc88841b3019fd5bb419bb67
  android-5.0.0_r1
  android-5.0.0_r2
  android-5.0.0_r3
  android-5.0.0_r4
  android-5.0.0_r5
  android-5.0.0_r5.1
  android-5.0.0_r6
  android-5.0.0_r7
  android-5.0.1_r1
  android-5.0.2_r1
  android-5.1.0_r1
  android-l-preview_r2
  android-wear-5.0.0_r1


> > I brought this to Twitter, and here's a comment by Rich Felker:
> >
> > <solardiz> Android 5.0 "has removed support for non-PIE binaries. Attempting to run a non-PIE binary will generate 
> > an error" http://www.openwall.com/lists/oss-security/2015/03/13/1
> > <@RichFelker> @solardiz Guess that means no emacs on Android...
> > <@solardiz> @RichFelker Why, can't one build Emacs as PIE?
> > <@RichFelker> @solardiz The whole dumper issue. The final emacs binary is a dump of an emacs with a lisp heap full 
> > of pointers and no relocation data.
>
> FWIW, I think various distributions are going to enable it once the PIE
> by default patches land:
>
> https://www.mail-archive.com/gcc-patches () gcc gnu org/msg105030.html
>
> There has been no luck getting someone to review them, so they missed
> the GCC 5 freeze deadline despite being ready before then.
>
> I proposed that we enable it by default on Arch via wrapper scripts, but
> it was rejected in favour of waiting for this patch to land. An OpenSUSE
> developer also voiced interest in the patches on the GCC mailing list.
> It just needs a committer who feels like reviewing it.



-- 
Nick Kralevich | Android Security | nnk () google com | 650.214.4037