Re: Patch 4/6 randomize the stack pointer
From: Julien TINNES
Date: Thu Jan 27 2005 - 14:53:35 EST
Gentlemen,
Isn't the return address on the stack an offset in the
code (.text) segment?
How would a random stack-pointer value help? I think you would
need to start a program at a random offset, not the stack!
No stack-smasher that worked would care about the value of
the stack-pointer.
While exploiting a stacks buffer overflow you can do at least two things:
* Changing the execution flow by overwriting return address or saved EBP.
* Injecting new executable code in the stack.
"Standard" stack smashing is doing both. The purpose of stack
randomization is to make it harder to jump to code injected into the
stack. If enough bits are randomized it's unlikely that an exploit will
find the correct address at the first try. Now all you need is to make
sure the vulnerable program won't be relaunched after a given number of
crashes (or the chances that the exploit find the correct address will
raise).
Of course you could inject code in other places or use existing code in
address space (libc or running program) but this is at least a first
layer of protection and adding layers is exactly what security is about.
--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/