Difficulties facing the attacker Attacker faces the following difficulties: ProPolice: Must guess 32 bit number to overwrite frame pointer or return address ProPolice: Flags/pointers are below buffers in stack frames W^X: Nothing writeable in the address space is executable W^X: signal() trampoline is not writeable W^X: GOT, PLT, and dtor are not writeable W^X: const data is not executable vectors are not writeable sparc*: Must guess 32 bit number to overwrite return address Shared libraries mapped at different addresses each time malloc() and mmap() provide randomized allocation malloc() and mmap() put in guard pages (mostly complete) Many programs revoke their privilege Many privileged programs separate their privileges into another process Top of stack is randomly biased