More address space randomization: Randomized malloc()


Did you know that the addresses of objects allocated by
malloc() are fairly predictable?

Some recent exploits have relied on this!

Two types of objects are managed by malloc()

    Smaller than a page:

    malloc() maintains buckets of "chunks"
    Randomize chunk selection out of bucket
    Enabled using /etc/malloc.conf 'G' option

    Equal or greater than a page:

    Rely on random mmap()