Reducing write access even more: The .rodata segment Readonly strings and pointers were stored in the .text segment Gave them PROT_READ | PROT_EXEC Meaning const data could be executed (could be code an attacker could use) But this is ELF, not a.out... so create a new segment called .rodata These objects are now PROT_READ; they lose PROT_EXEC Basically this is all part of ensuring objects in the address space have the minimal set of permissions