Thomas E. Spanjaard wrote:
Given other comments, I think you should put all the changed code under an #ifdef, and add that to conf/options to be defined in file opt_vm.h (e.g., VM_MMAPOFF_RANDOMIZE opt_vm.h), then include opt_vm.h in the relevant files. Ofcourse, the option wouldn't be enabled by default, but people who want security through obscurity can easily enable it at their leasure in their kernel config, and recompile :).
it is not obscurity, but instead prevents the exploitation of any fixed memory offset in executables. it makes memory ordering basically so non-deterministic that it is close to impossible to craft a working exploit. in combination with W^X this creates a very very secure execution environment. cheers simon -- Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\ Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
