Stefan Esser · Jan 4, 2018 · 7:42 PM UTC

Stefan Esser

Stefan Esser @i0n1c

4 Jan 2018

as @paxteam has mentioned many times ASLR is to stop remote attacks not really for locals.

Julien Vanegue @jvanegue

4 Jan 2018

We'll also probably remember this day as the one when ASLR died. Kudos to @solardiz and @paxteam for inventing a defense technique that protected computers against mainstream attacks for almost 20 years.

Julien Vanegue · Jan 4, 2018 · 7:45 PM UTC

Julien Vanegue @jvanegue

4 Jan 2018

fair point, we should also distinguish KASLR and original ASLR as intended. "Local ASLR" s a grey area, javascript induced timing attacks against ASLR can qualify as remote too.

PaX Team · Jan 4, 2018 · 9:27 PM UTC

PaX Team · Jan 4, 2018 · 9:27 PM UTC

PaX Team @paxteam

4 Jan 2018

Replying to @jvanegue @i0n1c

the remote vs. local distinction made sense until 'remotely' an attacker couldn't program a UTM whereas he could do so 'locally'. browsers+javascript changed that and thus the boundaries blurred. ASLR was designed for the remote case only (and with known limitations even there).

Jan 4, 2018 · 9:27 PM UTC