Quoting from the Fedora Packaging Guidelines (https://fedoraproject.org/wiki/Packaging:Guidelines#PIE) > PIE adds security to executables by composing them entirely of position- > independent code. Position-independent code (PIC) is machine instruction code > that executes properly regardless of where in memory it resides. PIE allows > Exec Shield to use address space layout randomization to prevent attackers from > knowing where existing executable code is during a security attack using > exploits that rely on knowing the offset of the executable code in the binary, > such as return-to-libc attacks. More info at the link above. Pierre wants this. :)
Fedora now does a whole bunch of things to harden binaries that we should probably look at: * PIE/PIC * -D_FORTIFY_SOURCE=2 (extra memory checks in C APIs) * -D_GLIBCXX_ASSERTIONS (extra memory checks in STL) * -z,now (check all binary symbols on start)
Ubuntu also has some hardening flags by default: https://wiki.ubuntu.com/ToolChain/CompilerFlags It seems like they've patched gcc, though, rather than change the defaults for how they build packages. We can see this when building TigerVNC manually.
