June 7th, 2004, 09:42 PM
AMD/Intel "NX bit"
Please someone explain:
1. How does having the "NX" bit enabled for non-executable pages differ from what "Solar Designer"'s intel Linux patch (released quite a few years ago now) does? Specifically, this seems to be a hardware method of doing the same thing, which strikes me as a bit silly if you can do it in software on existing machines (unless there is a performance difference)
2. Does having the "NX" bit enabled mitigate "return into libc" stack-smashing attacks in Linux or Win32(/Win64) ? If not, it's not very useful, is it, as there are many existing exploits which use "return into libc" ?
3. What non-AMD compatible hardware already supports this functionality (if any), and is it used by other OS already (example Macos X, Solaris ?)
June 8th, 2004, 08:45 AM
I don't know much about it so won't be answering all your questions,
but I did read this stuff about NX..
NX support is important enough that it's worth risking problems with some applications, Torvalds said. "I think most people have seen the security disaster that causes most of the e-mails on the Net to be spam. So this should be trivial to explain to people when they complain about default behavior breaking their strange legacy app,"
Hope that helps..
When it comes down to what software is allowed to do with any given page or area of memory, most CPU hardware doesn't distinguish between permission to read data and permission to execute instructions. AMD64 processors, however, support an extra flag or attribute to mark individual memory areas as nonexecutable -- the NX bit in the page table entry (PTE) -- when running in 64-bit or in 32-bit Physical Address Extension (PAE) mode.
The latter enables processors to address more than 4GB of memory, the normal ceiling for a 32-bit CPU, and its extra level of paging makes NX possible. Microsoft says some 32-bit applications and drivers may stumble when running in PAE mode, but Service Pack 2 reduces the risk of incompatibility by making hardware-abstraction-layer changes that mimic "classic" 32-bit direct-memory-access (DMA) behavior.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
June 8th, 2004, 12:11 PM
Not sure it completely answers my question, but this is my current analysis
- Solar designer's patch is now in some vendor kernels already
- "NX" does exactly the same, but via a different mechanism, the performance difference is unclear (if any)
- This is obviously a Good Thing, because only a very small percentage of ia32 compatible machines currently have AMD64 compatible CPUs
- Windows lags miles behind, with WinXP SP2 only implementing this function on NX-capable CPUs
Plus I *suspect*
- "return-into-libc" exploits will still work with NX enabled (as they do with Solar Designer's patch)
I haven't seen any on Win32, but they are theoretically possible (return into MSVCRT.dll or return into kernel32.dll, returning into (for example), WinExec, CreateProcess or system())