Gentlemen,
Isn't the return address on the stack an offset in the code (.text) segment?
How would a random stack-pointer value help? I think you would need to start a program at a random offset, not the stack! No stack-smasher that worked would care about the value of the stack-pointer.
While exploiting a stacks buffer overflow you can do at least two things: * Changing the execution flow by overwriting return address or saved EBP. * Injecting new executable code in the stack.
"Standard" stack smashing is doing both. The purpose of stack randomization is to make it harder to jump to code injected into the stack. If enough bits are randomized it's unlikely that an exploit will find the correct address at the first try. Now all you need is to make sure the vulnerable program won't be relaunched after a given number of crashes (or the chances that the exploit find the correct address will raise).
Of course you could inject code in other places or use existing code in address space (libc or running program) but this is at least a first layer of protection and adding layers is exactly what security is about.
-- Julien TINNES - & france telecom - R&D Division/MAPS/NSS Research Engineer - Internet/Intranet Security GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
