Linux build enable PIE
Posted: Wed Feb 15, 2012 11:28 pm
I'm a big fan of Iron on Linux, thanks for what you are doing, comrades.
As you may know a browser exploit can bypass the NX-bit + ASLR pretty easily.
But if you add PIE (position independent executable), that increases anti-exploitation by ORDERS of magnitude.
I readed that chromium is PIE-enabled, so adding a simple -fPIE-ish flag to gcc shouldn't be a big deal. Of course, there is a performance penalty in having PIE, but I hear it is negligeble on x86-64 platforms.
Are there any considerations why you would not choose to compile Iron with PIE on Linux?
As you may know a browser exploit can bypass the NX-bit + ASLR pretty easily.
But if you add PIE (position independent executable), that increases anti-exploitation by ORDERS of magnitude.
I readed that chromium is PIE-enabled, so adding a simple -fPIE-ish flag to gcc shouldn't be a big deal. Of course, there is a performance penalty in having PIE, but I hear it is negligeble on x86-64 platforms.
Are there any considerations why you would not choose to compile Iron with PIE on Linux?