Library order randomization
OpenBSD 3.4 came out in November 2003 with an interesting feature:
ld.so(1) on ELF platforms now loads libraries in a random order for greater resistance to attacks. The i386 architecture also maps libraries into somewhat randomized addresses.
This was implemented the 30th of May 2003, by Dale Rahn.
In August 2016, Android Nougat also added library order randomization.
This is small improvement over ASLR, but since it’s subject to the same limitations, it doesn’t really add security: a single pointer leak to a large enough library is a complete bypass, which isn’t much of an improvement over good ol’ ASLR.
One might argue that this still adds some entropy, except that it’s only by
a pretty low amount: For n libraries, you have n! ordering
possibilities, but as an attacker, you usually have enough gadgets in the
libc to do anything you want, so the loading order will actually be the one I
need every n loads: eg. I want the libc to be always loaded in the first
position, there is once chance amongst n that this will happen. This only
adds around log(n) bits of randomization; if you have 500 mapped libraries,
this is 6.2 bits of entropy, which isn’t much.
But it doesn’t add complexity, hinders performances nor observability, and improves a bit ASLR, so why not.