Score:1

What is the success probability of a single exploitation attempt for these scenarios

et flag

Consider an architectural security measure intended to prevent stack buffer overflow attacks where, instead of storing the return address on the stack, the CPU stores the difference of the stack pointer and the return address. Specifically, the call and ret instructions now behave as follows:

  • call: Let n be the address of the next instruction. Instead of pushing n onto the stack, the call instruction pushes (n − esp), where esp is the stack pointer and n the address of the next instruction after the call instruction.
  • ret: Instead of popping n from the stack and jumping to n, the ret instruction pops x and jumps to (esp + x).

Does the proposed measure make exploitation of stack buffer overflows harder under the following 4 conditions? What is the success probability of a single exploitation attempt for these 4? (e.g. 1, 2^−16 2^-24 2^−40)

  1. Without ASLR or DEP/W⊕X
  2. Without ASLR, with DEP/W⊕X
  3. With ASLR, without DEP/W⊕X
  4. With ASLR and DEP/W⊕X

We may assume that either the mapped region or the text segment contains sufficient ROP gadgets to implement your shellcode.

Also, the ALSR implementation is 32-bit PaX ASLR, where the stack base has 24 bits randomized and is aligned on a 16-byte boundary, the address of the mapped area has 16 bits randomized and is aligned on a 4096-byte boundary, and the address of the region containing the code, static variables, and heap has 16 bits randomized and is aligned on a 4096-byte boundary, as summarized below.

enter image description here

Daniel S avatar
ru flag
This is more a question for [security.stackexchange.com](https://security.stackexchange.com/questions). The answer will depend on how much the exploiter can determine about the likely value of ESP (e.g. can they determine it exactly from an overread?) and so an exact answer will be hard to provide. There’s not really a cryptographic aspect to this question.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.