Subject: Re: Importing PaX features to NetBSD
To: None <>
From: Matt Thomas <>
List: tech-security
Date: 12/18/2005 16:50:44 wrote:
> On 18 Dec 2005 at 16:12, Matt Thomas wrote:
>>PIE also forces a portion of .text to be nonshared (any relative relocations
>>that could be fixed in a based image will no longer be shared among multiple
>>processes).  It will increase the complexity of program loading which is
>>already very complex.
> uhm, not sure what you're talking about. PIEs have as many textrels as
> shared libs, up to you compile all .o files with -fpie (vs. -fpic). in
> practice, we have Hardened Gentoo fully PIE compiled and the usual textrels
> only (that is, mostly in multimedia related shared libs that use lots
> of non-PIC asm, we've also fixed a bunch of them already).

Normal executable don't need REL relocation since they are linked at a
fixed address.  Since PIE executables are closer to PIC (shared) libraries,
they will have to have relocations done at load time, not link time.

Things like 'const char * const foo[] = { "a", "b" };' will be placed
entirely in .rodata since of the text PT_LOAD for a normal executable
which means that it can be shared.  In a PIE executable, foo will need
to relocated and so can not be shared.  So PIE not only have a CPU cost
for the relocations, but also a memory cost since fewer pages can be shared.

Matt Thomas                     email:
3am Software Foundry              www:
Cupertino, CA              disclaimer: I avow all knowledge of this message.