hardening
Hardening - PIE or PIC - applies to Linux. PIE Hardening applies also to Windows, and its probably useful on Windows. The same FPC command line switches apply on Windows.
Overview
For our purpose here, "hardening" means making your binary harder to hack while running. Key is PIE, Position Independent Executable. FPC supports PIE with a couple of options on most platforms. Some environments require it and it makes good sense, especially in a server application. Its suggested that PIE Hardening increases the size of an executable and slows it down marginally.
Most projects only require the following extra FPC command line switches -
-Cg -k-pie -znow
However, there are some corner cases -
- Lazarus application will probably already have the "-Cg" in its compile line.
- Small, command line applications that would generate a statically linked binary will compile fine but not run ("No such file or directory"). The difficulty is that FPC does not bother to embed instructions about portable linking in such a binary because it appears unnecessary. The solution is to add "{$linklib c}" without the inverted commas to your source. This requests LibC be linked, forcing a dynamically linked binary and FPC provides the necessary information for the linker.
- At present, late 2021, PIE Hardening does not seem to work on PowerPC64le systems, see this bug report
- Some linux operating systems have a file command that mentions the word 'pie' in its output when directed to a PIE Hardened binary, but some don't. But all recent OSs will, with a PIE Hardened binary, list something like interpreter /lib64/ld-linux-x86-64.so.2 - that library must exist, if not, you have the statically linked binary problem mentioned above.
Example
Following is an example test file -
program Test;
{$linklib c}
begin
writeln('test');
end.
Compile with this -
fpc -Cg -k-pie -k-znow test.pas
And examine the result -
$> file test [enter]
test: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.4.0, stripped
See Also
- https://wiki.freepascal.org/Hardened_runtime_for_macOS
- https://wiki.debian.org/Hardening
- https://wiki.freepascal.org/Debian_package_structure
- This gdb page mentions a problem debugging PIE.
