I was reminded recently when trying to look for references of the pervasiveness of PaX's ASLR for instance that it seems that if you don't speak up, someone else will rewrite history for you in their or someone else's favor: security.cs.rpi.edu/courses/… security.cs.rpi.edu/courses/…

Well, while *ASLR* was first publicly implemented by PaX, memory layout randomization was also discussed before ASLR. Even though their not the same, one might think that was a step towards PaX ASLR.

AKA PaX both coined and implemented ASLR, so what's the gripe? Why should PaX not be discussed in the history of the very thing they created? I think the point you're missing is that there's a reason ASLR is being used and not other academic approaches discussed around the time.

None of this was controversial at all years ago, this seems to be a contrived argument from people either too young to know or too ignorant of history and wanting to create some alternate history for some reason. I don't know which, but it's getting old.

I see you mentioning ALSR but not the claim that i'm actually refering to: PaX saying he deserves credit for CFI. pax-future.txt has *some* ideas, not all. You see what I'm trying to say?

Well, because he does. If we're talking about who should be credited with developing the first compiler that implements a form of CFI, then it's obviously be Microsoft. I don't think that's controversial ;) But any person can look at the code it generates...

and see that it's effectively no different from what was discussed in pax-future.txt. When later people implemented CFI, did they use Microsoft's source code? (which correct me if I'm wrong, wasn't released) So why should PaX be left out of this history as well?

I'm not saying PaX should he left out of history, where did I say that :) all I'm saying is that PaX did not coin CFI nor did he first implement it. Isn't that a fact?

i didn't call it CFI but i had described the *exact* same thing that was later rediscovered by academics (in fact, it seems that my threat model was even more generic than anyone else's then or since). correct about the implementation, but then noone funded my work either.

You described the *exact* same thing for rets, not calls/jumps. CFI is an extention of that. While it's obvious you had an influence in its creation, we can't really say you invented it. Noone is blaming you for not being funded for your work.