On Tue, 2005-12-13 at 17:03 +0000, Mike Hearn wrote:
On Mon, 12 Dec 2005 12:27:07 -0500, Stephen Smalley wrote:
> exec-shield is a mechanism that approximates NX support, but does not
> define policy, so it cannot differentiate between a legitimate
> application request for executable memory from the same request induced
> by malicious code
I thought that in order to get malicious code into a running program with
any degree of reliability you need to know its VMA layout, and execshield
prevents that. So how can you do attacks like this with execshield enabled?
http://www.stanford.edu/~blp/papers/asrandom.pdf
--
Stephen Smalley
National Security Agency