Re: Patch 4/6 randomize the stack pointer

[Julien TINNES]

> Gentlemen,
>
> Isn't the return address on the stack an offset in the
> code (.text) segment?
>
> How would a random stack-pointer value help? I think you would
> need to start a program at a random offset, not the stack!
> No stack-smasher that worked would care about the value of
> the stack-pointer.

While exploiting a stacks buffer overflow you can do at least two things:
* Changing the execution flow by overwriting return address or saved EBP.
* Injecting new executable code in the stack.

"Standard" stack smashing is doing both. The purpose of stack 
randomization is to make it harder to jump to code injected into the 
stack. If enough bits are randomized it's unlikely that an exploit will 
find the correct address at the first try. Now all you need is to make 
sure the vulnerable program won't be relaunched after a given number of 
crashes (or the chances that the exploit find the correct address will 
raise).

Of course you could inject code in other places or use existing code in 
address space (libc or running program) but this is at least a first 
layer of protection and adding layers is exactly what security is about.

--
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/