Prelink and address space randomization
Posted Jul 7, 2006 13:34 UTC (Fri) by email@example.com
Parent article: Prelink and address space randomization
Security sensitive binaries should be linked as Position Independent
Executables (-pie). Those are not prelinkable and the kernel and dynamic
linker by default ignores the prelink chosen load addresses of libraries.
So, if e.g. all network facing and suid programs are PIEs and the rest
is not, you can prelink the whole system. PIEs will have full address
space randomization, while the rest of programs will have shared libraries
(and the binary) always at the same addresses (until next forceful
reprelinking, which is usually every fortnight or so).
to post comments)