The latest openSSL library has a FIPS module which needs to be built with a fixed base address to be called FIPS compliant. The rationale behind this is that having a fixed base address enables them to do an integrity check of the library.
I personally believe that this is a security risk as attackers know the exact base address of the library and can use that location to run attacks. Especially attacks like return to libc attack or return oriented programming. Am I missing something here??
Having a known address is not a big risk. The only security measure that it defeats is ASLR, and ASLR is merely a technique to make exploits more difficult, it rarely makes them impossible.
The best defense against exploits is not to have a vulnerability in the first place!
This, not the fixed address, is the reason why using a FIPS-certified version of OpenSSL is detrimental to security. As new bugs are inevitably discovered, users must patch them as fast as possible, before exploits come out. As soon as you've patched the bug, you aren't running a certified version any longer. If you needed certification in the first place, you'll need to wait for a certified version with the bug fix, which typically takes months if the vendor even bothers to make one.
Given that the FIPS certification of OpenSSL is not really a security certification (FIPS 140 level 1 is little more than a check that the functions are computed correctly, the security aspects are virtually nil), the only reason to use the FIPS version rather than the latest stable release is if you need to tick the “FIPS validated” checkbox on a procurement form.
