> On Wed, Jan 14, 2015 at 3:44 PM, Mathias Svensson wrote: > > Calls to malloc or mmap seems to be chosen randomly among 2 ** 20 > > pages placed at a constant offset above the base of the binary. > > While none of these numbers are great (25 bits to base address with > > no knowledge, 20 bits if knowing another pointer), they are not > > particularly bad either. > > I seem to have missed the fact that you can infer more about the base > address, because of its ridiculous alignment requirements. > > This expression gives me that base of the PIE-binary with probability > 1/4096 on my system: > > (((uint64_t) mmap_ptr) & ~0xfffff) - 0x280000000 >
None of these approaches is a silver bullet. But they are still worth doing.
