Believing in numbers and fair evaluation, I've compared RAP and LLVM-CFI. RAP is faster, LLVM-CFI is more precise. RAP is incredibly hard to use and its future is uncertain while LLVM-CFI is just a command line argument away. Details at nebelwelt.net/blog/20181226-… Comments welcome 🤗

I’m a kernel RAP user and I don’t see the complexity. One Kconfig option in the menu. Done. As to its future, it’s a commercial product! You do need to pay for easy access. I’ve paid for grsecurity kernel patches since 2015, the patches ship RAP. Zero support problem.

I understand that, but much of the criticism in the tweet and in the article is based on hardship encountered with a 20-month-old unsupported kernel version. That experience and the conclusions drawn from it don’t represent what’s available today.

Well, the article started because @paxteam complained that nobody in academia ever evaluates RAP. I've set out to evaluate and as it turns out people are unhelpful and testing RAP is near impossible.

The problem with RAP is that there's no public documentation. RAP is too little too late. More mature CFI mechanisms have evolved and are openly available. So RAP will likely die somewhere along the way. Especially now that Android has switches to LLVM-CFI (kernel & userland).

This is incorrect. There are enough details and working code. It's totally fair that to not spend time in the kernel nor wanting to buy the commercial version, but I wouldn't draw conclusions without doing at least one of the two

We've moved past "the code is the documentation" for software. There are not enough details to reasonably reproduce RAP and @paxteam claims that the closed source version is so much better anyway ¯\_(ツ)_/¯. LLVM ships CFI since 3.7, so since 2015.