ASLR work into -HEAD ?

[Bryan Drewery]

On 5/20/2015 12:24 PM, Pedro Giffuni wrote:
> My claim is that the majority of "professional" breachers and
> governments already have ASLR workarounds pre-coded and ready
> to launch. Finding an exploit is more difficult than beating
> ASLR so they are not going to hint everyone that they have
> an exploit until they can take all the linux/windows/MacOSX
> at the same time.
> 
> The cost for the NSA and/or anonymous to step on
> ASLR is zero.

This sort of argument easily turns into "why bother with security?".
Please be careful with it. Every layer and mitigation helps. The real
world is not just NSA or China. It's also full of script kiddies. Should
we just stop using SSL because NSA might have cracked it? Should we just
hand over root ssh keys to China because they probably have it all
hacked anyway? Should we just give up since billions of dollars pour
into security breaking research? Should I just post my CC here since
it's surely leaked from the hundreds of places I use it at anyway? No.

I've had very basic security checks, that could be easily circumvented,
stop actual script kiddies before. Had they persisted longer I would
have been in major trouble. If I explained what it is you would surely
laugh it off and tell me to not bother. Well it worked. ASLR has its
place too.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20150522/d8e5516b/attachment.sig>