Of note is that the memory protector is walking the stack looking for things that look like freed pointers. I somehow missed that when the feature was announced and thought the freed memory was simply delayed a random amount (like OpenBSD does). Making the free further dependent on other controllable data is exactly the kind of thing that probably seems safe because you don’t know how to attack it, and then one day…
Mostly orthogonal, which is to say, not at all sadly. Most exploits probably just use ROP techniques today, which only require executing existing code. The hard part for the them is finding that code in the address space.
Of note is that the memory protector is walking the stack looking for things that look like freed pointers. I somehow missed that when the feature was announced and thought the freed memory was simply delayed a random amount (like OpenBSD does). Making the free further dependent on other controllable data is exactly the kind of thing that probably seems safe because you don’t know how to attack it, and then one day…
How much does something like WX solve all of this?
Mostly orthogonal, which is to say, not at all sadly. Most exploits probably just use ROP techniques today, which only require executing existing code. The hard part for the them is finding that code in the address space.