Having some fun with Android.
Conversation
Replying to
By the way, even without Zygote screwing up probabilistic mitigations (not just ASLR) such as on GrapheneOS, ART is an issue. It uses a 32-bit heap in the lower 4G of the address space on 64-bit as an optimization and has a persistently relocated base address to optimize too.
1
2
We used to deal with the persistently relocated base address but haven't been able to keep that code maintained / ported through recent Android versions. It uses PIC but it has pre-relocated data. I assume they'll eventually switch to 64-bit addresses for the ART memory at least.
1
ART has the optimization of reusing a heap dump after basic initialization as part of compiling code. That's how it ends up with something it wants to persistently relocate as an optimization. So that combined with 32-bit pointers (not offsets) as optimization hurts ASLR too.
1
Since ASLR is increasingly regarded as a very weak mitigation, I'm not sure they'll ever care enough to address this upstream. Zygote spawning is a bigger deal since it weakens not just ASLR/SSP but also upcoming mitigations like pointer authentication and memory tagging too.