We might be missing ASLR and other possible compile time hardening options on macOS. (https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-programs-and-may-revolutionize-software-in-the-process/) 2:56 AM <•dveditz> evilpie: saw that, concerns me too. I see lots of FIXED bugs about turning on ASLR 2:56 AM <•dveditz> but on Mac (which is what I've got atm) otool -h seems to indicate we do not have it turned on 2:57 AM <•dveditz> compared to Chrome we're missing PIE and MH_NO_HEAP_EXECUTION (!!)

That's surprising, back when I added the --enable-pie flag for configure, this is what I wrote: # On OSX, the linker defaults to building PIE programs when targetting OSX 10.7+, # but not when targetting OSX < 10.7. OSX < 10.7 doesn't support running PIE # programs, so as long as support for OSX 10.6 is kept, we can't build PIE. # Even after dropping 10.6 support, MOZ_PIE would not be useful since it's the # default (and clang says the -pie option is not used). That is, we couldn't use PIE because of 10.6, but now we target something bigger than 10.6, the compiler/linker should already be defaulting to PIE... except if its default changed since the time I wrote that.

And I just realized we only actively dropped 10.6 support in 49 (bug 1269790), where PIE *is* enabled.