On Sat, Feb 27, 2021 at 08:34:11PM -0800, Ihor Antonov wrote: > > > > But isn't it well-known that ASLR/ASR/any-related-buzzwork does not add > > any security, except imaginary? The only purpose of it is to have a > > check-list item ticked green. > > I don't know if I should parse this as sarcasm (or any other form of > "humor") or is a serious statement? But this does leave me with a whole > bunch of questions.. > > If this is really how Konstantin is describing it then is it OK to say > about this to the whole Internet? Why FreeBSD Foundation is paying for > meaningless work then? Why members of the Core team do this work? Does > this mean that FreeBSD is working to satisfy the silly needs of some fat > customer? What about project independence and not being controlled by > big money? What fat customer? Other than that (and tone, of course), you formulate right the core of the issue. ASLR is useless as a stop-gap measure, exploits work around it with full success since XP SP3, but the myth about its importance is so widely circulating that we have to spend a lot of efforts first developing the feature, and then similar amount of efforts to productize it. The later means to make it available to general public without introducing a breakage. We tried to do as you said, not implement but explain, you see the attempts to list research papers below the thread. It does not work. This is the case where security theater wins. In fact, switch to PIE itself is somewhat useful. For instance, - rtld direct execution mode benefits from it - kernel image activator might optimize/compact address space - emulation tools like valgrind have more freedom loading the image as well, - static linkers can do some optimizations only possible for DSO-like and not binary and so on. But I would never call it a 'huge security advance'. > > Where can I read about ASLR and security myths? > Why not spend time and explain why this does not work? Because spending time explaining why it does not work does not work. People read check-lists and not explanations, esp. if check-lists are provided by somebody not interested in explanation, but to pursue a red/green line in the check-list. And I do not even start on the quality of the 'alternative' implementations. > > > > You clearly should mean something useful and much more important than that, > > when stating that FreeBSD made a huge step forward. So I want to be aware > > of the advance. > > Why attack a person who was really happy for the project? > This DOES sound a agressive, even for a sarcastic joke.. > I am saying this someone who shares the same native language with Mr. Belousov, > it is not a "language/culture" difference thing. I do not see how supposed sharing of native language with me makes it legitimate to express your emotions as mine statements. > > ----- > just your regular user who reads mailing list ocassionally > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"Received on Sun Feb 28 2021 - 17:02:37 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC