> Obscurity is not security.

So ASLR [1] is not a security control? I guess you are pretty alone with this opinion.

[1] https://en.wikipedia.org/wiki/Address_space_layout_randomiza...

No this is not what GP said, and I don't get how you reached this conclusion. This is like saying that AES is security through obscurity because it relies on key being secret. See [1] (linked in the OP) to understand the difference better.

I am pretty sure everyone who works in security agrees that obscurity is not security.

[1] https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

	▲	6 hours ago \| parent [-]
		[deleted]

▲

minitech 8 hours ago | parent | prev | next [-]

ASLR is (still[1]) not security by obscurity.

[1] https://news.ycombinator.com/item?id=43408079

▲

bigstrat2003 4 hours ago | parent [-]

ASLR is, by definition, security by obscurity. The entire purpose of it is to make it so that it's hard to find the memory which is in use.

	▲	sixtiethutopia 10 minutes ago \| parent [-]
		That's not what security through obscurity means. Security through obscurity has a specific meaning, it doesn't just mean to gain security by hiding anything it means to attempt to gain security by hiding how a system works. ASLR is a well understood system that exploit writers know to expect and thus ASLR is not security through obscurity.

▲

staticassertion 6 hours ago | parent | prev | next [-]

No, because ASLR uses a secret.

▲

8 hours ago | parent | prev [-]

[deleted]