Kurt Rodarmer convinced me that there were difficult circumstances where NX can provide a valuable security backup, even for Keykos. These circumstances include code, G, that decodes necessary messages from untrusted sources. It is always possible to get G right whence NX is unnecessary. It is possible but famously difficult. It may be strategic to borrow G from legacy software. It may be necessary, or highly convenient to give G significant authority X. It is error prone and a significant burden to verify this G is not gullible. In either case flaws in G may result in “maliciously crafted messages” including code that then wields authority X.
Typically G will be chartered to deliver messages to other system components after decoding some external message. If code from malicious messages wields X then we have merely extended the perimeter and are logically back to having a new source of messages that cannot be trusted.
There is a bright spot here that must be noted: The format of these secondary messages is under our control and thus they conform to binary message patterns whose format is designed to convey missives that the system is designed to safely act upon. Decoding these secondary messages is far easier!
Perhaps it is never necessary to give G dangerous authority but if so this in an undeveloped art.
This does not counter the attack where the original message is written over the part of the stack which holds the return address; the CPU does not execute instructions on the stack in this case and the attacker must thus branch to some address within trusted code that supports the attack. I have not explored that art. Trusted code is seldom written with that attack in mind.
Often we can afford to write the code that decodes messages in a type safe language.