[arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper
Lukas Jirkovsky
l.jirkovsky at gmail.com
Sun Dec 21 09:51:07 UTC 2014
Hello Daniel,
thank you for the detailed explanation.
> The address of dynamic libraries, the stack and the heap (both sbrk and
> the mmap base) is already randomized today so the backtrace is already
> going to include randomized addresses for anything defined in a library.
Sure, but knowing at least the source line where it crashed in the
executable may help a lot even if the rest of the backtrace is
useless.
> An executable is compiled as PIE is compatible with full ASLR but it
> doesn't force users to use it. ASLR can be disabled by setting
> /proc/sys/kernel/randomize_va_space to 0. It's also possible to do it
> for a single process (far better idea)
Oh, I didn't know that it's so easy to disable it. I would still
prefer to have it enabled only for the core system and the
applications that are a common point of entry such as web browser or
web server, but I can cope with that if I can handle that by myself
when everything is compiled with ASLR.
Lukas
More information about the arch-dev-public
mailing list