[LLVMdev] [PATCH] Protection against stack-based memory corruption errors using SafeStack
Stephen Checkoway
s at pahtak.org
Thu Nov 13 20:39:09 PST 2014
Hi Volodymyr,
On Nov 4, 2014, at 2:14 PM, Volodymyr Kuznetsov <vova.kuznetsov at epfl.ch> wrote:
> With such protection in place, overwriting the return addresses or pivoting the stack would become nearly impossible in practice, along with many ROP attacks that are based on it.
I agree that overwriting the return address becomes more difficult, but stack pivoting is still doable. On x86, overwriting a function pointer to point to
xchg eax, esp
ret
which is just two bytes, 0x94 0xc3, will pivot the stack to eax and start a return-oriented program when the function pointer is called.
--
Stephen Checkoway
More information about the llvm-dev
mailing list