golang and -buildmode=pie

432 views
Skip to first unread message

volf....@gmail.com

unread,
Nov 29, 2019, 8:09:44 PM11/29/19
to golang-nuts
Hello,
while looking into how alpine linux builds golang I've found that is patches it to make -buildmode=pie the default. I've tried to find why. I've managed to find this thread


which seems to conclude that there is very little benefit to use pie in golang. But then I found anothor thread (this time github ticket)


that decided to make pie default build mode for windows. If anyone would be so kind to find some time, I have few questions:

1. Why just windows (and not linux)?
2. Is pie useful now even in go? (the first thread is from 2012-2014)

    > The bug says ASLR but really this is just about making a position-independent binary. There are other reasons to have one of those besides ASLR.

    what are those reasons?



Thank you for your time and have a nice day,
W.

Ian Lance Taylor

unread,
Dec 1, 2019, 12:39:52 AM12/1/19
to volf....@gmail.com, golang-nuts
On Fri, Nov 29, 2019 at 5:09 PM <volf....@gmail.com> wrote:
>
> while looking into how alpine linux builds golang I've found that is patches it to make -buildmode=pie the default. I've tried to find why. I've managed to find this thread
>
> https://groups.google.com/forum/#!searchin/golang-nuts/pie|sort:date/golang-nuts/Jd9tlNc6jUE/Z9ldF6vPEAAJ
>
> which seems to conclude that there is very little benefit to use pie in golang. But then I found anothor thread (this time github ticket)
>
> https://github.com/golang/go/issues/35192
>
> that decided to make pie default build mode for windows. If anyone would be so kind to find some time, I have few questions:
>
> 1. Why just windows (and not linux)?

As you can see in the GitHub issue you cite, other Windows compilers
reportedly default to PIE. The argument was that Go on Windows should
act like other compilers on Windows.

> 2. Is pie useful now even in go? (the first thread is from 2012-2014)

PIE makes certain kinds of attacks on programs significantly more
difficult. Those attacks must first find a bug in the program,
typically an overflow of a buffer stored on the stack, which lets the
attacker modify the stack in some way. If such a bug exists, using
PIE makes it harder to exploit the bug. In Go it is very hard to
write a program that contains such a bug, much much harder than it is
in C. Therefore, I would say that PIE is much less important for Go
than it is for C. But it is possible with a fair amount of work to
write a Go program that contains such a bug. And Go programs can call
C code, and it might be useful to use PIE to make it harder to exploit
any bugs in that C code. So PIE is not completely useless for Go.

> 3. Quote from https://github.com/golang/go/issues/35192#issuecomment-548028186 :
>
> > The bug says ASLR but really this is just about making a position-independent binary. There are other reasons to have one of those besides ASLR.
>
> what are those reasons?

PIE can be useful for systems like the memory sanitizer
(https://github.com/google/sanitizers/wiki/MemorySanitizer) which need
to allocate large amounts of memory, and need to know that the program
can avoid the memory addresses that MSan wants.

Ian
Reply all
Reply to author
Forward
0 new messages