|
|
Log in / Subscribe / Register

Exclusive page-frame ownership

Exclusive page-frame ownership

Posted Sep 15, 2016 3:58 UTC (Thu) by kees (subscriber, #27264)
Parent article: Exclusive page-frame ownership

There's been a lot of confusion around the kernel/user memory segregation features, so a while back I attempted to clarify the CPU vs upstream kernel features needed for PXN/SMEP (block execution of user-space memory from kernel-space) and PAN/SMAP (block read/write of user-space memory from kernel-space), either in hardware or emulated, with some tables here:

PXN/SMEP: http://kernsec.org/wiki/index.php/Exploit_Methods/Userspa...

PAN/SMAP: http://kernsec.org/wiki/index.php/Exploit_Methods/Userspa...

If there are mistakes there, let me know and I'll fix 'em. :)

to post comments

Exclusive page-frame ownership

Posted Sep 15, 2016 12:21 UTC (Thu) by PaXTeam (guest, #24616) [Link] (1 responses)

1. i think referring to SMEP/PXN as 'segmentation' is somewhat confusing as that word has a specific meaning on x86 chips (and yet another on ppc) and no meaning on arm AFAIK.

2. the UDEREF style page table entry shadowing and switching on user/kernel transitions would work on any arch that can otherwise support kernel mode execution control (so UDEREF works on pre-IVB, let alone pre-BDW). if the arch has some form of address space/context ID mechanism then this can be further optimized though in my experience the end result still sucks for performance unfortunately.

3. i wouldn't call data access control/prevention a superset of execution prevention as i think most processors clearly distinguish between insn fetches and data accesses (different caches, TLBs, access control, etc) and thus you can control them indepedently.

Exclusive page-frame ownership

Posted Sep 15, 2016 19:55 UTC (Thu) by kees (subscriber, #27264) [Link]

1. Yes, quite right. I've changed those to "segregation". I'm open to a better term for this, though.

2. I think I covered that already in the text above the tables ("via separate page tables" and "page table swapping"). Is it the table's "could use PCID?" note that feels inaccurate?

3. Yup, fair point. I've clarified it to mention the emulation case (e.g. CONFIG_SW_DOMAIN_PAN provides PXN emulation as well as PAN emulation) and distinguish the instruction fetch from data access.

Thanks!


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds