
StackGhost: Protecting the return address -- when in memory


So the SPILL & FILL handlers save and restore stack frames
to and from memory...
            ... making buffer overflow attacks possible on sparc

StackGhost changes the SPILL & FILL handlers:

    XOR the in-register copy of %i7 with a per-process
    random number ("wcookie") when transferring
    to/from memory

wcookie is selected randomly at process startup time

Was held up by lack of GDB support, but enabled in OpenBSD 3.6

Might be feasable on other register window architectures:

sparc64 ia64

