Move all runtime options into a structure that is made read-only (via mprotect) after initialisation to protect against attacks that overwrite options to turn off malloc protections (e.g. use-after-free) Allocate the main bookkeeping data (struct dir_info) using mmap(), thereby giving it an unpredictable address. Place a PROT_NONE guard page on either side to further frustrate attacks on it. Add a new 'L' option that maps struct dir_info PROT_NONE except when in the allocator code itself. Makes attacks on it basically impossible. feedback tedu deraadt otto canacar ok otto