Libc symbols randomization
Announced in 2016,
this feature randomizes, at boot time, the order of group of symbols in the libc
.
This mitigation is subject to roughly the same limitations than the library order randomization one: defeated by arbitrary read (just dump the GOT), and circumvented by BROP. It’s also interesting to note that the randomization happens only at boot-time, meaning that this feature can only protect against remote attackers without large-enough or repeatable leaks, completely killing single-pointer leaks, as well as relative write happening in libc and libcrypto.
To quote halvar flake on this:
A stupid idea, unfortunately. Only academia still cares about ROP. http://undeadly.org/cgi?action=article&sid=20160425145953 - sorry theo.
It’s similar to the selfrando project (paper), initially designed to be used by the Tor Browser to improve its security, but that was removed after a couple of months, because of its inefficiency against attackers. But selfrando was used in an environment where an attacker has a lot of control of what is happening, which is usually not the cases outside of web browsers.
In January 2023, linking randomization at boot was enabled for openssh as well.
In February 2023, Albert published an article about randomizing the objects order at compilation time on Gentoo, inspired from this mitigation.
It doesn’t add complexity nor hinder the performances, but makes it harder to debug crashes. It also forces an attacker to get better leaks than the ones that can be used to bypass ASLR.