Re: ASLR and PIE

On Mon, Dec 05, 2011 at 11:15:26PM +0300, Aleksey Cheusov wrote:
> Address Space Layout Randomization was implemented in NetBSD
> years ago but all userspace utilities including daemons
> are still built without PIC (Position Independend Code).
> 
> Was this made by intention?  If yes, can anybody please expain this
> decision?

On some platforms, ASLR in particular has a very large runtime cost
which is hard to avoid (it's not free anywhere).  Similarly, on
platforms which are register-poor, PIC is not always the best choice.

However, I have considerable experience with a NetBSD-based embedded
system which built as much as possible with PIE and ASLR.  This
revealed a number of issues which would, even if we decided to do so
immediately, make it impossible to build the whole system PIE and
run it with ASLR.  Among these are:

	1) Incompatibility of our thread library with ASLR.

	2) Incompatibility of crunchgen with object files built
	   for PIE, causing /rescue to be unbuildable.

	3) Incompatibility of our debugger with PIE executables and
	   with ASLR.

	4) Existence of various "private" libraries in the system
	   which are built using our library build framework but
	   not installed, thus making it hard to be sure you've
	   caught all the libraries and made them build PIC.