• Lodovico Giaretta (40/40) Oct 19 2016 Hi!
• Daniel Kozak via Digitalmars-d (4/43) Oct 19 2016 This is possible, it is on package maintainers to do this (compile
• Lodovico Giaretta (6/7) Oct 19 2016 Thank you. I didn't know about dmd.conf.
• Daniel Kozak (4/8) Oct 20 2016 Maybe it is not so perfect security choice
• Daniel Kozak (2/11) Oct 20 2016 https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr...

Lodovico Giaretta <lodovico giaretart.net> writes:

Hi!

As you might have noticed, Ubuntu 16.10 joins the community of 
hardened systems by shipping GCC 6.2 with PIE enabled by default. 
This is a wonderful security choice, but it comes with some 
problems when one tries to use DMD. Here is what happened to me.

1) Trying to unittest std.experimental.xml:

    I got tons of failed relocations, but I was kind of expecting 
that. I was using DUB,
    so I added `"lflags": ["-no-pie"]`, but it didn't do anything 
and I really don't know
    why. Then I tried setting "dflags" with "-fPIC", but it didn't 
suffice, as I had to
    set "-defaultlib" to "libphobos2.so".
    Ok, this finally worked, but it produced PIE executables. What 
if I want to use a plain
    old fixed-position executable? I didn't manage to do that. 
Also, the "default" dmd
    call, without any option, should really work out of the box. I 
don't really care if by
    default it produces PIE or not. I care that I don't have to 
think about it unless it's
    an important decision for me. And I care that if I want, I can 
switch to whatever with
    a command line option.

2) Trying to use DUB seriously:

    This is a good reason to have a working default configuration. 
While working on the
    xml library, I used `dub -b ddox`. Being the first time on the 
new system, DUB fetched
    ddox and tried to build it. But of course it failed! And 
that's because ddox (as every
    dub package) does not specify "-fPIC 
-defaultlib=libphobos2.so", as it has never been
    necessary. I still don't know how to make this work without 
hacking ddox.

So, what we really need is either a good tutorial on how to setup 
everything so that it "just works", or even better the compiler 
should recognize if the linker has hardening enabled by default, 
and take actions to either compile with PIC or call the linker 
with -no-pie.

Daniel Kozak via Digitalmars-d <digitalmars-d puremagic.com> writes:

Dne 19.10.2016 v 14:51 Lodovico Giaretta via Digitalmars-d napsal(a):

 Hi!

 As you might have noticed, Ubuntu 16.10 joins the community of 
 hardened systems by shipping GCC 6.2 with PIE enabled by default. This 
 is a wonderful security choice, but it comes with some problems when 
 one tries to use DMD. Here is what happened to me.

 1) Trying to unittest std.experimental.xml:

    I got tons of failed relocations, but I was kind of expecting that. 
 I was using DUB,
    so I added `"lflags": ["-no-pie"]`, but it didn't do anything and I 
 really don't know
    why. Then I tried setting "dflags" with "-fPIC", but it didn't 
 suffice, as I had to
    set "-defaultlib" to "libphobos2.so".
    Ok, this finally worked, but it produced PIE executables. What if I 
 want to use a plain
    old fixed-position executable? I didn't manage to do that. Also, 
 the "default" dmd
    call, without any option, should really work out of the box. I 
 don't really care if by
    default it produces PIE or not. I care that I don't have to think 
 about it unless it's
    an important decision for me. And I care that if I want, I can 
 switch to whatever with
    a command line option.

This is possible, it is on package maintainers to do this (compile 
druntime and phobos itself with -fPIC and add -fPIC to /etc/dmd.conf)

 2) Trying to use DUB seriously:

    This is a good reason to have a working default configuration. 
 While working on the
    xml library, I used `dub -b ddox`. Being the first time on the new 
 system, DUB fetched
    ddox and tried to build it. But of course it failed! And that's 
 because ddox (as every
    dub package) does not specify "-fPIC -defaultlib=libphobos2.so", as 
 it has never been
    necessary. I still don't know how to make this work without hacking 
 ddox.

 So, what we really need is either a good tutorial on how to setup 
 everything so that it "just works", or even better the compiler should 
 recognize if the linker has hardening enabled by default, and take 
 actions to either compile with PIC or call the linker with -no-pie.

same as above just add -fPIC to dmd.conf

Lodovico Giaretta <lodovico giaretart.net> writes:

On Wednesday, 19 October 2016 at 13:16:08 UTC, Daniel Kozak wrote:
 [...]

Thank you. I didn't know about dmd.conf.
Do you happen to know which options should I use to disable PIE 
generation? -L-no-pie does not work, so I'm stuck with producing 
PIE executables (which is not bad per se, but as I said I care 
that I can easily switch back and forth when needed).

Daniel Kozak <kozzi11 gmail.com> writes:

On Wednesday, 19 October 2016 at 12:51:46 UTC, Lodovico Giaretta 
wrote:
 Hi!

 As you might have noticed, Ubuntu 16.10 joins the community of 
 hardened systems by shipping GCC 6.2 with PIE enabled by 
 default. This is a wonderful security choice

Maybe it is not so perfect security choice
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

Daniel Kozak <kozzi11 gmail.com> writes:

On Thursday, 20 October 2016 at 11:12:24 UTC, Daniel Kozak wrote:
 On Wednesday, 19 October 2016 at 12:51:46 UTC, Lodovico 
 Giaretta wrote:
 Hi!

 As you might have noticed, Ubuntu 16.10 joins the community of 
 hardened systems by shipping GCC 6.2 with PIE enabled by 
 default. This is a wonderful security choice

 Maybe it is not so perfect security choice
 http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr-protection-on-intel-haswell-cpus