Normally you should have build nearly everything with PIE (there is a nifty but a little bit outdated script called checksec.sh) - on my system (Desktop with KDE right now) every running process has PIE enabled. You can enable and disable it via gcc-config (there are nopie and nopic and vanilla compiler profiles (which seem to be incompatible with gcc 4.8) PIC and PIE enabled is the default though)
WKR Hinnerk On Mon, Mar 25, 2013 at 07:00:15PM +0100, "Tóth Attila" wrote: > Is gentoo-hardened better regarding the amount of unrandomized code > compared to other distros? > -- > dr Tóth Attila, Radiológus, 06-20-825-8057 > Attila Toth MD, Radiologist, +36-20-825-8057 > > 2013.Március 25.(H) 13:52 időpontban PaX Team ezt írta: > > On 25 Mar 2013 at 9:01, Kfir Lavi wrote: > > > >> Hi, > >> I'm looking for a way to reduce glibc code size. > >> It can be a way to make system smaller and minimize the impact > >> of attack vectors in glibc, as in return-to-libc attack. > > > > study this and draw your conclusions whether the whole exercise is > > worth it or not: > > > > https://www.usenix.org/conference/usenix-security-11/q-exploit-hardening-made-easy > > > > > > >
signature.asc
Description: Digital signature
