On Fri, Mar 29, 2019 at 5:50 AM Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx> wrote: > I want to be sure that no unsigned code page could be executed. So exploits > could only be of ROP kind and not being able to download any extra code > from their servers. That's why I found that disabling of anonymous executable > pages could be useful for that (as well as disabling of making executable > pages writable to modify already mapped code). In conjunction with IMA it > should guarantee that no untrusted code could be executed. Remember that many interpreted languages allow execution of code provided to them on the command line (eg, python -c) and also grant access to arbitrary syscalls, so there's still no guarantee that you're only executing trusted code.
