[OneLessThing]

“Exploit authors don’t really care about stack cookies, especially with today’s techniques like rop, jop, srop”

None of those suggested techniques address stack cookies but okay, I’ll keep listening.

“We can overwrite parts of the heap, the problem is the heap is not executable on amd64 and arm64”

And that’s where you’ve lost me. Processor has no concept of the “heap.” Whether or not you can make heap pages executable is up to the OS, and all common OS’s let you do this. Not only that, but the browser you’re using to view this very page is probably using executable allocations right now to JIT the (very little) JavaScript on this site.

[kaslai]

Just because the OS _can_ mark any page as executable doesn't mean that it does. Typically, unless there is a very specific need for an executable allocation, the executable flag is intentionally turned off.

[drb91]

I interpreted it as meaning “by default”.

[OneLessThing]

amd64 and arm64 have no default heap configuration, they don’t even know what the heap is. Same is true for their 32 bit equivalents. If he said Linux based OS’s or Windows have non executable heaps then I’d have kept watching because yeah you could assume he meant “by default”. Instead he blamed the processor and not only that but only 64 bit processors. It’s a massive misunderstanding on his part.

[drb91]

By default on some os.

Doesn’t strike me as a misunderstanding at all—my current cpu/os combo also doesn’t ship with an executable heap. This strikes me as lazy editing, but not a clear misunderstanding.

[adamnemecek]

Page executability does have a hw aspect.