Re: Patch 4/6 randomize the stack pointer

[Paulo Marques]

John Richard Moser wrote:
> In other words, no :)
>
> Here's self-exploiting code to discover its own return address offset
> and exploit itself.  It'll lend some insight into how this stuff works.

I really shouldn't feed the trolls, but this must be the most silly 
piece of code I saw on this mailing list in a very long time (and there 
have been some good examples over time).

The stack randomization doesn't prevent some sort of attacks (like 
return into libc, etc.) and given a small randomization it might be 
possible to write an exploit with a long sequence of NOP's and a return 
address somewhere in there (the attacker wouldn't know exactly where, 
but it wouldn't matter anyway). If we are able to write 'N' NOP's then 
we get a 'N'/64k chance that the exploit works.

Your code doesn't show any of this kinds of attacks. It just shows that 
if you're able to run code then.... you're able to run code?

What are you going to show next? That you can steal your own car? Are 
you going to blame the car manufacturer's for that?

As it was already pointed out this is a step into implementing a larger 
randomization, so that things don't break all at once. Even a large 
stack randomization is just another layer of protection, as there are 
still attacks that it doesn't prevent.... Duh.

> [...] 
> 		/*find the distance between a and myret*/
> 		for (i = (void*)a; *(void**)i != myret; i++) {
> 			distance++;
> 		}

And this must be "la piece de resistance". Some very obfuscated (and 
inefficient) way to do a simple unsigned subtraction...

--
Paulo Marques - www.grupopie.com

"A journey of a thousand miles begins with a single step."
Lao-tzu, The Way of Lao-tzu

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/