Believing in numbers and fair evaluation, I've compared RAP and LLVM-CFI. RAP is faster, LLVM-CFI is more precise. RAP is incredibly hard to use and its future is uncertain while LLVM-CFI is just a command line argument away. Details at nebelwelt.net/blog/20181226-… Comments welcome 🤗

I’m a kernel RAP user and I don’t see the complexity. One Kconfig option in the menu. Done. As to its future, it’s a commercial product! You do need to pay for easy access. I’ve paid for grsecurity kernel patches since 2015, the patches ship RAP. Zero support problem.

I understand that, but much of the criticism in the tweet and in the article is based on hardship encountered with a 20-month-old unsupported kernel version. That experience and the conclusions drawn from it don’t represent what’s available today.

Well, the article started because @paxteam complained that nobody in academia ever evaluates RAP. I've set out to evaluate and as it turns out people are unhelpful and testing RAP is near impossible.

The problem with RAP is that there's no public documentation. RAP is too little too late. More mature CFI mechanisms have evolved and are openly available. So RAP will likely die somewhere along the way. Especially now that Android has switches to LLVM-CFI (kernel & userland).