pie

Install or update an extension

$ pie install [vendor]/[extension]

$ pie show

$ pie info [vendor]/[extension]

$ pie repository:list

$ pie repository:add [type] [url]

$ pie repository:remove [url]

The "pie" feature is enabled via compiler and linker options, primarily within the gcc command.

gcc [options] -fPIE -pie [input_files] -o [output_executable]

This syntax shows how to compile and link a program to produce a Position-Independent Executable.

-fPIE
    Compile the current compilation unit to be position-independent. This flag instructs the compiler to generate position-independent code, which is necessary for the final executable to be a PIE.

-pie
    Link the output as a Position-Independent Executable. This flag, passed to the linker (via GCC), ensures that the final executable is linked in a way that allows it to be loaded at a random base address at runtime.

-no-pie
    Disable the generation of a Position-Independent Executable. This flag explicitly prevents the creation of a PIE, even if the default behavior of the compiler/linker might otherwise be to produce one.

The term "pie" in the context of Linux typically refers to Position-Independent Executables. A PIE is an executable program built in such a way that it can be loaded at any arbitrary virtual memory address without modification.

This capability is crucial for implementing Address Space Layout Randomization (ASLR) for executables. ASLR is a security feature that randomly arranges the memory addresses of key data areas (like the base of the executable, libraries, heap, and stack) in a process's address space. By randomizing these locations, ASLR makes it significantly harder for attackers to predict the address of specific code or data, thereby mitigating memory-based attacks such as buffer overflows or return-oriented programming (ROP) exploits.

PIE executables are essentially dynamically linked shared objects that are loaded as main programs. They achieve position independence by ensuring all internal memory references (to code, data, global variables, etc.) are relative rather than absolute. This allows the operating system's loader to map the entire executable to a randomized base address at runtime, enhancing system security.

Performance: PIE executables might incur a very slight performance overhead due to the additional indirections required for relative addressing compared to non-PIE executables. However, for most modern applications and hardware, this overhead is negligible.
Compatibility: While widely supported today, older systems or specific embedded toolchains might not fully support PIE. Modern Linux distributions typically enable PIE by default for all user-space executables due to its significant security benefits.
Default Behavior: Many contemporary GCC versions and Linux distributions enable PIE by default when compiling executables. Therefore, explicitly adding `-fPIE -pie` might sometimes be redundant but serves as good practice for clarity and portability.

You can verify if an executable is a PIE using various command-line tools:

• file: Run `file your_executable`. A PIE will typically be identified as a "shared object" (e.g., `ELF 64-bit LSB shared object`) or indicate `ET_DYN`. Non-PIE executables are usually identified as `ELF ... executable` or `ET_EXEC`.
  
• readelf: Use `readelf -h your_executable | grep Type`. For a PIE, the output will show `Type: DYN (Shared object file)`. For a non-PIE executable, it will show `Type: EXEC (Executable file)`.
  
• checksec: This is a dedicated security auditing tool (often available via `apt install checksec` or `yum install checksec`) that can quickly report PIE status along with other exploit mitigation features. Run `checksec --file=your_executable` and look for the "PIE" field.

The concept of position-independent code has been fundamental for shared libraries for a long time. The application of position independence to main executables (PIE) gained significant traction in the early 2010s.

Its widespread adoption was driven by the increasing need to enhance security against memory corruption vulnerabilities. PIE became a critical component for effectively utilizing Address Space Layout Randomization (ASLR) for executables, significantly hindering exploitation techniques on Linux systems. Most modern Linux distributions now compile system binaries and user applications as PIE by default to improve overall system security.

gcc(1), ld(1), readelf(1), aslr(7), objdump(1)