Theo de Raadt to be presenting at CanSecWest. undeadly.org/cgi?action=arti… #openbsd #cansecwest #security #mimmutable #executeonly #rop #aslr #pinsyscall

Execute-only status report undeadly.org/cgi?action=arti… #openbsd #xonly #executeonly

Since iOS 10 the JIT region isn't simple RWX chunk, it got splitted into two views - RW && RX (there is a special memcpy which writes to this fixed addr, and it ExecuteOnly, so you can't leak the JIT address by reading code section. My question: know other uses of ExecuteOnly?

[local] ghostscript - executeonly Bypass with errorhandler Setup dlvr.it/QmrGCT

Re: ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961): Posted by Perry E. Metzger on Oct 09I keep wondering if there isn't a way to fully remove the dangerous bits from a postscript interpreter so it can _only_ be used to view… dlvr.it/QmqtWM

ghostscript: bypassing executeonly to escape -dSAFER sandbox (CVE-2018-17961): Posted by Tavis Ormandy on Oct 09Hello, this is another ghostscript -dSAFER sandbox escape that worked in HEAD up until recently, and probably all ghostscript versions still… dlvr.it/Qmnfnz

ghostscript: executeonly bypass with errorhandler setup bugs.chromium.org/p/project-…