Re: NetBSD + ASLR

[Michael Litchard <michael%schmong.org@localhost>]

I'm confused. Is this feature only in the HEAD branch? I installed 5.0.1, and I have the man pages. I  also have the following in my kernel config
michael# config -x ./netbsd | grep ASLR
options         PAX_ASLR=0              # PaX Address Space Layout Randomization

but I get this from sysctl
michael# sysctl -a | grep security
security.curtain = 0
security.models.bsd44.name = Traditional NetBSD (4.4BSD)
security.models.bsd44.securelevel = -1
security.models.bsd44.curtain = 0
michael# 
see, something is missing. Is it because I'm not using -current?

On Fri, Jul 18, 2008 at 5:41 PM, Jukka Ruohonen <jukka.ruohonen%iki.fi@localhost> wrote:

On Fri, Jul 18, 2008 at 05:58:14PM -0400, Christos Zoulas wrote:
> You can build everything PIE if you set MKPIE=yes in /etc/mk.conf.
> Note that I have not built a complete PIE system, or turned on
> security.pax.aslr.global. If you do that you are on your own :-)

Few words about personal experiences.

I haven't tried building a system with MKPIE=yes lately because it was
broken a long time somewhere in the path of 4.99.x. Compared to this,
USE_SSP=yes has been much more stable.

But I have used security.pax.aslr.global ever since it was introduced. As
long as I remember to temporarily turn it off when compiling something,
everything is fine and haven't noticed any stability or performance impacts
whatsoever.


Regards,

Jukka R.