ASLR and PIE disabled by default

Nelson H. F. Beebe beebe at
Mon Apr 3 17:00:07 PDT 2017

List members have been discussing security mechanisms for DragonFlyBSD

I recently watched OpenBSD architect Theo de Raadt's presentation

	Pledge:a new security technology in OpenBSD

He argues that most security wrappers for software from other O/Ses
are too complex, as evidenced by their low rate of adoption.

He then goes on to describe the pledge() call that allows software to
declare their needed security features, after which the kernel ensures
that they are not violated.

I was sufficiently intrigued to try it on one of my own software
packages, and here is all that it took to get it implemented:

In, add


In the main() program, near the top, add

	#if defined(HAVE_SYS_PLEDGE_H)
	    if (pledge("cpath rpath stdio tty wpath", NULL) != 0)
		perror("pledge system call failed: perror says");

For more on pledge(), see its manual pages at

Starting with a guess of "stdio" for the needed security classes, it
took me about 20 minutes to figure out what other classes my program

Matt Dillon is correct that having to add security declarations in
software is onerous, and a possible source of error, and having
external global mechanisms, such as in the kernel or the shell, or
stack W^X (write-or-execute, but not both) protection, are more

Because we see increasing attacks against software, it seems to me
that we realistically have to use both approaches, and given how
little code that pledge() takes, I am prepared to use it in new
releases of my own code.

Unfortunately, for those scripting languages such as perl, python, and
ruby, that make pretty much any Unix system call available, the
pledge() approach cannot just be put into the language interpreter: it
has to be put into the scripts themselves.

- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe at  -
- 155 S 1400 E RM 233                       beebe at  beebe at -
- Salt Lake City, UT 84112-0090, USA    URL: -

More information about the Users mailing list