Consider an architectural security measure intended to prevent stack buffer overflow attacks where, instead of storing the return address on the stack, the CPU stores the difference of the stack pointer and the return address. Specifically, the call and ret instructions now behave as follows:
- call: Let n be the address of the next instruction. Instead of pushing n onto the stack, the call instruction pushes (n − esp), where esp is the stack pointer and n the address of the next
instruction after the call instruction.
- ret: Instead of popping n from the stack and jumping to n, the ret instruction pops x and jumps to (esp + x).
Does the proposed measure make exploitation of stack buffer overflows harder under the following 4 conditions? What is the success probability of a single exploitation attempt for these 4? (e.g. 1, 2^−16 2^-24 2^−40)
- Without ASLR or DEP/W⊕X
- Without ASLR, with DEP/W⊕X
- With ASLR, without DEP/W⊕X
- With ASLR and DEP/W⊕X
We may assume that either the mapped region or the text segment contains sufficient ROP gadgets to implement your shellcode.
Also, the ALSR implementation is 32-bit PaX ASLR, where the stack base has 24 bits randomized and is aligned on a 16-byte boundary, the address of the mapped area has 16 bits randomized and is aligned on a 4096-byte boundary, and the address of the region containing the code, static variables, and heap has 16 bits randomized and is aligned on a 4096-byte boundary, as summarized below.