A stupid idea, unfortunately. Only academia still cares about ROP. http://undeadly.org/cgi?action=article&sid=20160425145953 … - sorry theo.
-
-
@berendjanwever@halvarflake no, that's what leads to pulling up pointless defenses that make more harm (usability, debugging) than good -
@lazytyped@halvarflake I did say "anything that can mitigate exploitation", not "anything". Cost/benefit analysis is implied. -
@berendjanwever@halvarflake how does this "randomize libc symbols" mitigates exploitation? -
@lazytyped@halvarflake I did not say this is good mitigation. I said that even if some mitigations are better than others, all are useful. -
@lazytyped@halvarflake In other words, just because this uses randomization does not make it bad by default. -
@berendjanwever@halvarflake with ROP we already have enough randomization with ASLR. And direction is CFI-ish.More randomization won't help -
@lazytyped@halvarflake I'd like to see somebody (theo?) show a bunch of vulns this would have mitigated before I make a judgement. -
@berendjanwever@halvarflake sure you don't have to trust me. I'm happy to be proven wrong (but not by an artificial case) - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.