Dear Jason, please keep the ML on Cc:
In message <4f33e93e.5070...@ggsg.cisco.com> you wrote: > > Do you happen to have a reference to that presentation? I'm very > interested, as i thought ASLR was in place to make it harder. I've done > a weak google search but haven't turned up anything. I'm sorry - I already searched when I wrote my first reply, but I didn't save the link when I read this. I am pretty much sure that it was in an article posted on http://www.heise.de/newsticker/ (and that it was in German language), but then it's likely that a similar article has been posted to http://www.h-online.com/ . I can find a few articles that talk about ways to outsmart ASLR, for example http://www.h-online.com/security/features/Return-of-the-sprayer-exploits-to-beat-DEP-and-ASLR-1171463.html but none of the ones I checked contained the statement I quoted (that ASLR actually makes it easier for crackers), or I didn't find it. Yes, the ideas behind ASLR was to make breaking into systems harder, and it does so for conventional attack methods. But breaking into systems is an art, and each new protection mechanism will attract forces to break them. In the end, you have to ask yourself if the efforts for a protection mechanism is worth the increaseof security it gives you. As others have pointed out, U-Boot (while running in interactive mode) is pretty much open for unlimited access anyway, so what is there to protect? And in production mode, U-Boot will just load and start some OS, and will be gone within a few milliseconds - if configured correctly, with little chances for break in. Unless you attach a JTAG debugger - but then you are p0wned anyway. Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de Alan Turing thought about criteria to settle the question of whether machines can think, a question of which we now know that it is about as relevant as the question of whether submarines can swim. -- Edsger Dijkstra _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
