„64-bit Debian and 64-bit HardenedBSD had the two best implementations of ASLR, with 64-bit Debian having just slightly more entropy than 64-bit HardenedBSD.“ web.cs.ucdavis.edu/~peisert/resea
This Tweet was deleted by the Tweet author. Learn more
Conversation
Replying to
The original tweet presenting the results in a misleading and dishonest only looks bad for the person doing it, not the project they're trying to attack.
twitter.com/gonzopancho/st
The paper is also only looking at one part of the ASLR implementation rather than the whole picture.
This Tweet is unavailable.
2
1
3
So, aside from being a very incomplete look at ASLR, it also misses that it's only one of a set of mitigations against memory corruption attacks. Resorting to misrepresenting the results of a very obviously lacking paper to attack other projects is quite desperate and pathetic.
2
This Tweet was deleted by the Tweet author. Learn more
You quoted a statement out of context to mislead people. As I mentioned, the paper is also very lacking since it presents ASLR entropy as being the only thing of relevance to buffer overflow protection, and it also only looks at the entropy of one of several ASLR bases anyway.
1
The upstream Linux kernel ASLR has substantially lower for one of the x86_64 ASLR bases, which this paper misses. It's not an issue in the implementation on other architectures like arm64. The paper is misleading and wrong, and your out-of-context quote only makes that worse.
It also makes a misleading statement about Android, which uses the upstream Linux ASLR implementation and sets entropy config to the maximum values. It doesn't take a different approach. arm64 does usually have a smaller address space than x86_64 which isn't an Android thing.