x86 NX support
At least, it didn't until very recently. AMD added a no-execute (NX) permission bit to the page table entries in its 64-bit processors; Intel has recently said it will be supporting this mode as well. So the hardware will be able to avoid executing code from certain regions of memory, making various types of buffer overflow attacks harder. At least, that will be true if the operating system supports and uses the NX mode.
To that end, Ingo Molnar has posted a patch bringing NX support to the x86 architecture; his patch is based on previous work done by Intel and the x86_64 NX support by Andi Kleen. This patch allows applications to mark areas as being non-executable; such areas, typically, will include the stack and heap zones. It also applies the NX bit to the kernel itself; kernel text is marked executable, but kernel data is not. As a result, the next time a buffer overflow turns up in the kernel, it, too, will be harder to exploit.
The NX bit only works when the processor is running in the PAE mode. Most x86 Linux systems currently do not run in that mode; it is normally only turned on when large amounts of memory (more than 4GB) are installed. This mode adds a third level of page tables, and makes the page table entries themselves larger, so users and distributors normally turn it off if it is not needed. Most modern x86 processors support the PAE mode, however; security considerations may lead to it being used more heavily in the future.
Linus's main concern about the patch would appear to be how many old applications it might break. The reply from Arjan van de Ven is that pretty much everything "just works." The no-execute permission is not applied unless the code is specially marked in the image file, and gcc apparently does a good job of not setting that flag when it would break things. If this experience holds true, NX support could go in fairly quickly, and a longstanding x86 security weakness will be no more.
For people interested in testing this patch, Arjan has merged it into the
latest Fedora Core test kernels. See the patch
announcement for a pointer. There is also a
"quickstart" document for those who would like to test out NX in their
own kernels.
| Index entries for this article | |
|---|---|
| Kernel | NX support |
| Kernel | Security/Security technologies |
Posted Jun 3, 2004 5:02 UTC (Thu)
by rfunk (subscriber, #4054)
[Link] (2 responses)
Posted Jun 3, 2004 9:47 UTC (Thu)
by hansl (subscriber, #5086)
[Link] (1 responses)
Posted Jun 3, 2004 14:32 UTC (Thu)
by knobunc (guest, #4678)
[Link]
Posted Jun 3, 2004 12:29 UTC (Thu)
by lacostej (guest, #2760)
[Link]
Posted Jun 10, 2004 8:34 UTC (Thu)
by job (guest, #670)
[Link]
Is this really true? Pages being non-executable
has been implemented by PaX and other patches for years. Linus did not
want to merge it because it only changes the way you have to write the
exploits, not the possibility of the exploits themselves -- as he
convincingly demonstrated on lkml. Has something changed since then or is
this security-by-obscurity again?
<blockquote><i>a longstanding x86 security weakness will be no x86 NX support
more.</i></blockquote>
Well, at least for those running x86-64 machines. The masses of us still
running plain old 32-bit x86 machines get no joy.
x86 NX support
> Well, at least for those running x86-64 machines. The masses of us
> still running plain old 32-bit x86 machines get no joy.
No, as I understand it a 32bit x86 processor with PAE support
(which is what most people run) is supported. But it is somewhat
of a hack since PAE needs to be turned on even with small amounts
(less than 4GB) of memory and it does come at a certain performance
cost.
PAE needs to be turned on because only then there is extra room in
the processors page tables (just 1 bit per page) to mark memory
non-executable.
-Hans
The quickstart document cited in the article says:x86 NX support
- make sure you have a CPU that has the NX feature. Such CPUs are:
all 64-bit variants of AMD (Athlon64, Opteron), future CPUs of
Intel, Transmeta and VIA. (NOTE: 64-bit x86_64 kernels already
make use of the 64-bit variant of the NX feature - this patch
is only meant for 32-bit x86 kernels and distributions.)
So you do have to have a compatible processor. This change adds protection when you are running a 32-bit kernel.
-ben
How is the support in other OSes for this function?
x86 NX support
x86 NX support
a longstanding x86 security weakness will be no
more