Why PAX_RANDEXEC code is commented

Discuss and suggest new grsecurity features

Why PAX_RANDEXEC code is commented

Postby mohitbansal111 » Thu Jul 21, 2011 8:21 am


I just go through a stable patch of grsecurity..
I find that PAX_RANDEXEC ( for Randomize ET_EXEC base) is comment out !!!! :x
It is little surprise for me as when i go through http://pax.grsecurity.net/docs/randexec.txt its say RANDEXEC is to introduce randomness into main executable file mapping address.. :o
I also find that that addition pose some problems like performence ovehead , false alarm etc :(

Could any one please help me to figure out the final position for ET_EXEC...

Thanks in advance :D

Posts: 6
Joined: Mon Jul 18, 2011 3:49 am

Re: Why PAX_RANDEXEC code is commented

Postby PaX Team » Thu Jul 21, 2011 4:23 pm

RANDEXEC was removed many years ago when its maintenance cost increased way beyond its security value. it had served as a good PoC for how to randomize otherwise non-relocatable code but for practical purposes everyone should be (and should have been) using PIEs instead.
PaX Team
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Return to grsecurity development