Randomized malloc() Two types of objects are managed by malloc() Smaller than a page Equal or greater than a page p = malloc(16); free(p); p2 = malloc(16); if (p != p2) Excellent! For smaller than a page: malloc() maintains buckets of "chunks" Randomize chunk selection out of bucket Enabled using malloc.conf 'G' option Equal or greater than a page: Use randomized mmap() Unfinished ... Cheap. But not as perfect as we want it to be