@Medinoc said in Security by obscurity fails again:
By the way, ASLR should also work without NX, because a good ASLR would also randomize the stack's location (and as such, the absolute address with which the return address must be overwritten).
Against the very first buffer overflow attacks, randomising the stack's location was all that was needed, because the first ones(1) relied on scribbling the payload downloader code into the stack, along with a return address that transferred control to the downloader. This was before the NX stuff existed (and the NX thing is only needed because the people who write operating systems on x86 are too lazy to do their jobs right by separating code from data. If you have code from zero up to HERE, and data from 0xF...F down to THERE, and you size the code and data segment descriptors correctly, the segmentation features in x86 will allow you to absolutely prevent code execution if the code is in the stack, because the stack is in the data segment (it has to be writeable), and stack addresses, therefore, lie outside the code segment limits, and are therefore not executable. It doesn't help with return-to-libc attacks, but absolutely prevents return-to-stack attacks.)
(1) I read about them on the Cult of the Dead Cow site about 20 years ago...