Add re-exec for server

This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
author: Matt Johnston <matt@ucc.asn.au> 2022-01-30 10:14:56 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2022-01-30 10:14:56 +0800
commit: deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch)
tree: c7199ab70fad3d27994e165c46b797f27c50d885 /default_options.h
parent: 0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff)
download: dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/default_options.h b/default_options.h
index 62f2a39..aa9df78 100644
--- a/default_options.h
+++ b/default_options.h
@@ -37,7 +37,14 @@ IMPORTANT: Some options will require "make clean" after changes */
 #define NON_INETD_MODE 1
 #define INETD_MODE 1
 
-/* Include verbose debug output, enabled with -v at runtime. 
+/* By default Dropbear will re-execute itself for each incoming connection so
+   that memory layout may be re-randomised (ASLR) - exploiting
+   vulnerabilities becomes harder. Re-exec causes slightly more memory use
+   per connection.
+   This option is ignored on non-Linux platforms at present */
+#define DROPBEAR_REEXEC 1
+
+/* Include verbose debug output, enabled with -v at runtime.
  * This will add a reasonable amount to your executable size. */
 #define DEBUG_TRACE 0
author	Matt Johnston <matt@ucc.asn.au>	2022-01-30 10:14:56 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2022-01-30 10:14:56 +0800
commit	deb2ed63d904e8baf586bf97d494706ed58e7a9b (patch)
tree	c7199ab70fad3d27994e165c46b797f27c50d885 /default_options.h
parent	0d62392b5cd34331d3c5de84a8f398ef5e706ff2 (diff)
download	dropbear-deb2ed63d904e8baf586bf97d494706ed58e7a9b.tar.gz