Library order randomization
OpenBSD 3.4 came out in November 2003 with an interesting feature:
ld.so(1) on ELF platforms now loads libraries in a random order for greater resistance to attacks. The i386 architecture also maps libraries into somewhat randomized addresses.
In August 2016, Android Nougat also added library order randomization.
This is small improvement over ASLR, but since it’s subject to the same limitations, it doesn’t really add security: a single pointer leak to a large enough library is a complete bypass, which isn’t much of an improvement over good ol’ ASLR.
One might argue that this still adds some entropy, except that it’s only by
a pretty low amount: For
n libraries, you have
possibilities, but as an attacker, you usually have enough gadgets in the
libc to do anything you want, so the loading order will actually be the one I
n loads: eg. I want the libc to be always loaded in the first
position, there is once chance amongst
n that this will happen. This only
log(n) bits of randomization; if you have
500 mapped libraries,
6.2 bits of entropy, which isn’t much.
But it doesn’t add complexity, hinders performances nor observability, and improves a bit ASLR, so why not.