On Thu, Aug 14, 2003 at 12:00:40PM -0400, Matt Zimmerman wrote:
> On Wed, Aug 13, 2003 at 09:00:51PM -0400, valerian wrote:
>
> > It actually does a very good job of stopping any kind of "stack-smashing"
> > attack dead in its tracks (both the stack and heap are marked as
> > non-executable). That takes care of most vulnerabilities, both known and
> > unknown.
>
> No, it really doesn't. It might stop some common implementations of
> exploits, but that's about it. There are many papers available which
> describe the shortcomings of this kind of prevention.
Could you provide some pointers on the topic?
> You don't need an executable stack to get control of execution, you only
> need to be able to change the instruction pointer, which is stored on the
> stack (as data).
PaX is not just about non-executable address regions, but address
space randomization. In my understanding, the attacker just
doesn't know what he should modify the IP to. Given this, are
you certain that only a narrow range of exploits ("common
implementations") can be killed via PaX?
bit,
adam
--
1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989
finger://[EMAIL PROTECTED] | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever
