Why So Few PIE Executables?

What’s up with this? The output for checksec.sh shows the vast majority of packages running PIE’less.

How is this still the case? Some of these are SUID binaries (pulseaudio) and it’s really weird that they aren’t PIE enabled. Quite a few are missing stack canaries as well.

Why?

edit: After looking most of these seem to be related to Unity. I looked a few up and removed them as I don’t need them. Better, but not great – I don’t mind that my indicator-cpufreq doesn’t support PIE, what I mind is Ubuntu shipping with so many not using PIE/ stack canaries.

edit2: A user commented explaining that on x86 there is a significant performance impact. I was actually aware of this but I didn’t realize how significant. The thing is, I’m on 64bit, and I don’t really want PIE on *every* executable file.

The issue is not that *every* package is not using PIE. It’s that so many packages that seem ‘security critical’ are not using PIE eg: I don’t care so much that hud-service is running without PIE but I do care that Pulseaudio (SUID) and DNSMasq are running without PIE.

2 thoughts on “Why So Few PIE Executables?

  1. The Ubuntu Wiki says on https://wiki.ubuntu.com/Security/Features#Built_as_PIE :
    “PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a select number of security-critical packages (some upstreams natively support building with PIE, other require the use of “hardening-wrapper” to force on the correct compiler and linker flags). PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required.”

    • Thanks Tlu for the great information. I actually did know there was a performance impact, though I didn’t realize how large it could be (I thought more like 1-5%). As I’m on 64bt I figured it would be the default but I guess ‘more testing is required.’

      The issue is not that *every* package is not using PIE. It’s that so many packages that seem ‘security critical’ are not using PIE eg: I don’t care so much that hud-service is running without PIE but I do care that Pulseaudio (SUID) and DNSMasq are running without PIE.

Leave a Reply

Your email address will not be published. Required fields are marked *