Justin Handville <nanolith@gmail.com> wrote:
> > pledge does not drop access to system calls. It blocks the *action*
> > of it, inside the kernel. You are muddling things together far too much.
>
> That's a matter of semantics. The point is that pledge reduces attack surface by
> reducing what a program is capable of doing at the system level. Dropping code
> segments is just another mitigation.
It is not. A ROP attacker will still find gadgets they want to use in
the huge % of your text segment that remains.
> > You will need to argue that I am wrong before you go any further.
>
> It doesn't matter. I'm not interested in a debate.
Nor am I.
No comments:
Post a Comment