======  Position-independent Executable (PIE) ======
The protection mechanism [[.aslr|ASLR]] was explained in the previous chapter. It introduces randomness to the memory layout of processes. Thus it is harder for attackers to correctly organize exploit execution. However, remember that even with ASLR fully enabled, the executable itself as well as the PLT are still not randomized. Position-independent Code (PIC) is a compiler feature which produces code that can be loaded at arbitrary addresses. Binaries consisting of only position-independent code are called Position-independent Executables (PIE).

Similar to ASLR, the below program illustrates the effect of PIE on process addresses.

<code c pie/addresses.c>
// gcc addresses.c -ldl
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>

int main()
{
    int stack;
    int *heap = malloc(sizeof(int));

    printf("executable: %p\n", &main);
    printf("stack: %p\n", &stack);
    printf("heap: %p\n", heap);
    printf("system@plt: %p\n", &system);

    void *handle = dlopen("libc.so.6", RTLD_NOW | RTLD_GLOBAL);
    printf("libc: %p\n", handle);
    printf("system: %p\n", dlsym(handle, "system"));

    free(heap);
    return 0;
}
</code>

Having ASLR enabled results on the following output.

<code>
$ echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
2
$ ./a.out 
executable: 0x55e8208157ca
stack: 0x7ffe5d194edc
heap: 0x55e821d11010
system@plt: 0x7f2904b01480
libc: 0x7f29052849b0
system: 0x7f2904b01480
$ ./a.out 
executable: 0x55716e0817ca
stack: 0x7ffd23f4e40c
heap: 0x55716ee0e010
system@plt: 0x7fe427397480
libc: 0x7fe427b1a9b0
system: 0x7fe427397480
</code>

It can be concluded that additionally to ASLR also the executable itself and the PLT are randomized.

^ ASLR value ^ Executable                                        ^ Stack                                             ^ Heap                                              ^ PLT                                               ^ Shared libraries                                  ^
| 2          | <html><font color="green">&#10004</font></html> | <html><font color="green">&#10004</font></html>   | <html><font color="green">&#10004</font></html>   | <html><font color="green">&#10004</font></html> | <html><font color="green">&#10004</font></html>   |

Without leaking an address at runtime which can be used to calculate the address of further gadgets for a [[..exploitation:rop|ROP chain]], PIE heavily increases security(([[https://exploit.courses/files/bfh2017/day5/0x53_ExploitMitigations_PIE.pdf|Exploit Mitigation - PIE]])).

Note that PIE is a compiler option and needs to be applied to every executable separately. Following PIE-related flags are used by GCC(([[http://man7.org/linux/man-pages/man1/gcc.1.html|gcc(1) - Linux manual page]])).

^ Flag     ^ Description             ^
| -fpie    | Enable PIE compilation  |
| -fno-pie | Disable PIE compilation |
| -pie     | Enable PIE for linking  |
| -no-pie  | Disable PIE for linking |

Depending on the used distribution, PIE might also be enabled by default.

<code>
$ gcc -v 2>&1 | grep -o -a -P "\S+default-pie"
--enable-default-pie
</code>

Although increasing security, PIE also impacts the performance of an executable((Mathias Payer (2012). "Too much PIE is bad for performance.".)).


\\
----
<html>
<table style="width:100%">
  <tr>
    <td align="left" style="width:33%"></html>[[.aslr|← Back to Address Space Layout Randomization (ASLR)]]<html></td>
    <td align="center" style="width:34%"></html>[[..start|Overview]]<html></td>
    <td align="right" style="width:33%"></html>[[.nx|Continue with NX bit →]]<html></td>
  </tr>
</table>
</html>