Subject: Re: Importing PaX features to NetBSD
To: Elad Efrat <elad@NetBSD.org>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: tech-security
Date: 12/18/2005 23:35:01
On Mon, Dec 19, 2005 at 12:23:17AM +0200, Elad Efrat wrote:
> Pavel Cahyna wrote:
> 
> > Wouldn't it prevent future optimizations of the dynamic linker, which
> > might require constant and known addresses of dynamic libraries? I think
> > IRIX does that (don't know how RelCache was designed, maybe it applies
> > there too).
> 
> Let's leave this decision for the end-user to make.

Fine. If you implement this, can you please make the decision controllable
per-process, rather than per-system? E. g. with some proc.<pid>.xxx
sysctl. Because if any such optimizatoon appears, it will make sense to
enable randomization for processes where exec time is not a bottleneck and
are exposed to attacks (like sshd, bind, or setuid executables) but disable
it for other processes.

Pavel Cahyna