"For example, if you use PaX and SSP, is there any point in adding PIE?"
Yes. PIE is simply rebuilding executables to be position independent, as shared libraries are. This allows their code to be moved around in memory freely, which allows PaX (or Exec Shield on RH) to apply ASLR to that code as well, further protecting from ret2libc attacks (ret2exec?).
The ideal setup has all of these, and more; there are a few other things that need more research, or that I simply don't understand although they may be ready, which could be deployed as well. A good format string bug protection would be great; and digitally signed kernel modules, executables, and libraries would potentially provide a fair level of protection as well. There's also a lot that can be looked at in GrSecurity with ranomized PIDs and randomized network data such as TCP ISNs and RPC XIDs, along with chroot() jail and procfs restrictions.
This stuff is nothing more nor less than a good start. If they were everything the article would be called, "How to make your computer perfect." These are all, however, ready *now* and could be deployed by any given distribution with the commitment to put in the work to move these in.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds