> If we clear the registers, what the hell are you going to put in the > RSB that helps you?
RSB allows you to control chains of gadgets. You can likely find some chain of gadgets that set up constants in registers in a lot of useful ways. Perhaps not any way (so may be hard to scan through all of memory), but it's likely you could find gadgets that result in a lot of useful direct mapped addresses, which the next gadget can then reference. Especially RAX is quite vulnerable to this because there will be a lot of code that does "modify RAX in interesting ways ; RET" > So instead of saying "we have to flush the return stack", I'm saying > that we should look at things that make flushing the return stack > _unnecessary_, simply because even if the attacker were to control it > entirely, they'd still be up shit creek without a paddle. I agree that clearing registers is useful (was just hacking on that patch). -Andi