Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120524045752.GX163@brightrain.aerifal.cx>
Date: Thu, 24 May 2012 00:57:52 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Static PIE! (experimental)

I've got very experimental static-linked PIE support working, using
the attached files. This isn't ready to go in (in fact, part of it
belongs in binutils' ldscripts, not musl), but it's a very cool proof
of concept. Some caveats:

- ALL object files, including those in static libs (that means libc
  too!) must be built with -fPIE or -fPIC. So to use this, you really
  need to commit to building your whole system this way.

- No error checking is done for invalid binaries; they'll likely crash
  horribly. You can use readelf -a to check that the only relocations
  are RELATIVE. If you see any other types of reloc, the binary is
  broken (miscompiled or mislinked).

- Textrels are not supported. They would be very difficult to support
  on hardened systems that don't allow RWX pages, since the binary
  would be self-modifying while running (and thus switching
  temporarily to RW- and later to R-X would not suffice).

- The provided linker script is for i386, but it's just a simple
  change to the original file (sending .interp section to /DISCARD/)
  and you can make the same change for any arch. Likewise, Zcrt1.s is
  for i386, but it's trivially generated from Scrt1.s by adding a call
  to __static_pie_reloc.

Command to use to link:

gcc -static -pie -fPIE -nostartfiles Zcrt1.s Zcrt2.c \
  /usr/lib/crt[in].o -Wl,-T,elf_i386.xd "$@"

Of course you can pre-compile/assemble Zcrt1.o and Zcrt2.o if you
like. The reason they're split into 2 files is that the first is
startup asm (arch-specific) and the latter is written in C for
convenience (and arch-independence).

To get this to production stage...

1. The linker scripts need to be incorporated into binutils.
2. The gcc specfile needs to be edited to use alternate startfiles
   when both -static and -pie are specified.
3. The new crt files need to be added to musl.

By the way, there's nothing musl-specific about any of this. If
anybody wants to build a static glibc with -fPIE and patch the call to
__static_pie_reloc into its startfiles, it should work too.. Same goes
for uClibc.

Rich

View attachment "Zcrt1.s" of type "text/plain" (441 bytes)

View attachment "Zcrt2.c" of type "text/plain" (1056 bytes)

View attachment "elf_i386.xd" of type "text/plain" (7095 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.