Not knowing anything about ARM, I didn't get how this bit is supposed to work:<p><pre><code> We enforce this rule by restricting the sorts of operations that
programs can use to alter sp. Programs can alter sp by adding or
subtracting an immediate, as a side-effect of a load or store:
ldr rX, [sp], #4! ; loads from stack, then adds 4 to sp
These are safe because, as we mentioned before, the largest
immediate available in a load or store is ±4095. Even after adding or
subtracting 4095, the stack pointer will still be within the sandbox or
guard regions.
</code></pre>
I get the idea of the guard protecting against the biggest immediate offset, but what stops me doing an SP-updating LDR with a big offset multiple times, pushing SP beyond my "safe" memory segment?<p>EDIT: I guess I might be taking:<p><pre><code> Any other operation that alters sp must be followed by a guard
instruction.
</code></pre>
too precisely, and you could just follow every ldr which writes back SP with a BIC too. Maybe I'm missing the point.<p>EDIT2: Wait, wait, I get it now. Once the stack pointer is in the guard area, the CPU faults if you do another LDR. Don't mind me!
I see a lot of interesting techniques here. I couldn't figure out is how writes are prevented to code areas in the sandbox. I'd guess they mark pages with code-bundles as read-only but I don't see any specific mention of it.<p>(The article does mention that the guard pages are set to no read/write/execute)