If you’re in a position to perform an attack that address space randomization can defend against, then you have already successfully performed a code execution attack.
And so far as I can tell... *any* constant strings in the executable, including things like elements of the SQL language itself, provide a mechanism for locating code. Meanwhile, what this design does is remove an attack surface for promoting an SQL injection attack to a code execution attack. The comments about randomizing strings in the previous threads were about possible alternate ways of mitigating that attack, and have nothing to do with ASLR. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users