Re: patch to randomize mmap offsets

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

Thomas E. Spanjaard wrote:
> Given other comments, I think you should put all the changed code under 
> an #ifdef, and add that to conf/options to be defined in file opt_vm.h 
> (e.g., VM_MMAPOFF_RANDOMIZE opt_vm.h), then include opt_vm.h in the 
> relevant files. Ofcourse, the option wouldn't be enabled by default, but 
> people who want security through obscurity can easily enable it at their 
> leasure in their kernel config, and recompile :).

it is not obscurity, but instead prevents the exploitation of any fixed memory offset in executables.  it makes memory ordering basically so non-deterministic that it is close to impossible to craft a working exploit.  in combination with W^X this creates a very very secure execution environment.

cheers
 simon

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \