The conversation continues regarding the stack overflow article I posted yesterday.
Quoth Matt:
The attack I was referring to was for a conventional stack overflow (return address overwrite). It’s still possible (if the stack is layed out properly) to leverage a stack overflow in the same frame that the overflow occurs. I just simplified for the conventional scenario
…and Ken Johnson, another Positive coder, adds:
It’s also worth pointing out that you can make the stack grow in the opposite direction on x86, just that in practice almost nobody uses that feature.
Really, a better idea is to just switch to a more modern architecture with a better designed calling convention instead of switching which way the stack grows. x64 and IA64 don’t have SEH overwrite vulnerabilities on Windows, for instance. Additionally, as I recall, IA64 doesn’t even store the return address on the primary stack, which makes it significantly harder to gain flow control through a stack overflow (though certainly not impossible if there are things like function pointers on the stack).
I’m kind of surprised that Apple didn’t just go to x64 directly and skip x86-32 entirely.
I hadn’t thought about going directly to x64 before, but now that Ken mentions it, it does make me wonder. One of the main drivers for Apple’s Intel switch was their inability to get a fast PPC chip into the laptops, due to power and heat issues. I wonder if Apple had decided that x64 wasn’t going to be ready with in time with sufficiently low-power chips.