Transmeta To Add 'NX' Antivirus Feature To Chips

Autoversicherung writes points to a ZDNet story which says that "Transmeta will support "No Execute," or NX, in their next core revision. Transmeta will provide advance versions of Efficeon-based systems with NX support to Microsoft for testing. Hope Linus get a few too, even if he's no longer working there. The NX-equipped Efficeon chips are due for general release later this year."

Enterprise Computing?

[AKAImBatman]

If they call it the "NX-01", I'm gonna shoot somebody.

Re:Enterprise Computing?

Wow, I didn't see the Star Wars reference at all.

Perhaps you should go outside more often.

Re:Enterprise Computing?

[DarkHelmet]

NX-01? Is that a Star Trek reference? I always thought that Star Trek ended after First Contact. Damn... I'm glad they didn't drag that franchise out and run it into the ground...

Or maybe I'm from a parallel universe...

Re:Enterprise Computing?

Is it star trek or star wars that this is a reference to?

(sorry, I'm not a fan of either)

Re:Enterprise Computing?

[cbreaker]

Star Trek. It's the ship tag of the ship on the show Enterprise.

Re:Enterprise Computing?

[istewart]

TAKE ME BACK WITH YOU!

Re:Enterprise Computing?

If they call it the "NX-01", I'm gonna shoot somebody.

Depending who you intend shooting there might be a lot of support.

Re:Enterprise Computing?

[adamfranco]

I am not a crook!

Re:Enterprise Computing?

Weird... I thought that parallel universe of yours got destroyed two seasons ago. Have they just retconned you back into existence, in our timeline? Do you remember any weird anomalies that might indicate a dimensional phase shift on your part?

I didn't RTFA, but

[alphakappa]

can someone please explain why NX is important (and how it is differnt from NOP), and why it was not there earlier? Thanks

Re:I didn't RTFA, but

[alphakappa]

Okay, I just read the article. Pretty stupid question I asked (about NX and NOP). Don't even bother to reply.

Re:I didn't RTFA, but

[zgornz]

NX is completely different from NOP.

NX means you can mark a segment of code, well not code but data, as NX [Not Executable]. So lets say I mark some buffer as NX (Because it is just to contain a string anyway) and then someone finds a buffer overflow, and fills my string with some shell code then uses the buffer overflow to jump over to the string's location.

No luck, the shell code is marked NX.

Re:I didn't RTFA, but

My understanding is that it is a hardware implementation to the "execute" flag in unix/linux. I guess Microsoft doesnt write good enough software to implement it on its own-unlike linux.

NOP tells the processor to not do anything for a cycle. NX will say that this program shouldn't be executed if sent to the processor. While a NOP is an intended command, NX will be theroretically be completely out of the developer's domain, making viruses harder to produce. I don't think it will work any better than Linux and user attributes, and maybe even worse come windows vulnerabilities (think malware^1000).

Re:I didn't RTFA, but

[bnavarro]

It's been awhile since I took Assembly, but from what I understand, NX, or "No Execute", is an instruction that tells the processor to refuse to execute any binary data stored in certain locations in memory. This way, you cannot execute code that might be hidden inside, say, a string variable; this is a common exploit used by trojans & worms called a "buffer overrun", meaning it tries to insert code past the legal length of the string, and, if conditions are right, the code gets executed before the program crashes. I believe that the "NX" feature is found on "Big Iron" processors, and has been for quite some time.

NOP, on the other hand, is "No Operation". Literally, step over this instruction and do nothing. Applications for this are fairly limited, but they do not include attempting to block illegal code from running inside of data space

Re:I didn't RTFA, but

Basically, the NX bit lets you prevent code from being executed out of a buffer on the stack.

The standard way to exploit a buffer overflow on x86 style chips is to put compiled code at the end of the input so that it goes onto the stack in the right place, and when the function returns, it ends up running the code for the exploit.

It wasn't there before mostly because of the fact that x86 wasn't originally designed for a protected environment. There wasn't any sort of protected mode until the 286, and there wasn't a useful one until the 386. Because of this, protection flags and other security and permissions features were a complete afterthought.

Re:I didn't RTFA, but

[Rosco+P.+Coltrane]

it is a hardware implementation to the "execute" flag in unix/linux. I guess Microsoft doesnt write good enough software to implement it on its own-unlike linux. NOP tells the processor to not do anything for a cycle.

Microsoft certainly knows about NOP though...

Re:I didn't RTFA, but

[tedu]

NX is not an instruction at all. it's an extra bit in a page table entry, augmenting the existing read and write bits (among other). once the x86 page table format was decided, it wasn't possible to go back and add a new bit. the introduction of PAE means that the page table entries are twice as big, mostly for larger physical addresses, but an extra bit can be shaved off and used for NX.

Re:I didn't RTFA, but

[tedu]

the "execute" flag, assuming you are talking about memory protection and not some file permission bit which is unrelated, depends on CPU support. linux supports it on x86 no better than microsoft. if you use openbsd or pax patches, segments or other tricks are used to fake an X bit. but your assertion that ms can't implement an execute flag while linux (especially the stock kernel) can is pretty false.

Re:I didn't RTFA, but

[DaveLatham]

I don't think this will help with shell code, because that is interpreted at a higher level than the machine anyway, hence it is read as data not executed as machine code. If you replace shell code with machine code, then I think it's a good example.

So this is definitely not gonna solve all buffer overflows, but hopefully will help with some.

Re:I didn't RTFA, but

[tedu]

shell code is not executed by the shell. shell code is machine code designed to get you a shell.

Re:I didn't RTFA, but

[DaveLatham]

Thanks for the info. I guess the phrase is used both ways.

Re:I didn't RTFA, but

[gantrep]

Are you sure you weren't thinking of a shell "script"? I have never heard of "shell code" used besides the one way.

Re:I didn't RTFA, but

[gantrep]

Actually, it sounds like one of the new things MS did in sp2 is that it now takes advantage of the NX processor protection feature in AMD and intel chips

Data execution prevention (DEP) marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. Data execution prevention helps prevent these attacks by intercepting them and raising an exception.

Data execution prevention relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. Data execution prevention functions on a per-virtual memory page basis, most often changing a bit in the page table entry (PTE) to mark the memory page.

The actual hardware implementation of DEP and marking of the virtual memory page varies by processor architecture. However, processors that support data execution prevention are capable of raising an exception when code is executed from a page marked with the appropriate attribute set.

Both Intel and Advanced Micro Devices (AMD) have defined and shipped Windows-compatible architectures for data execution prevention. Windows supports DEP on the AMD64 platform and Intel Itanium Processor Family (IPF) processors.

The 32-bit version of Windows (beginning with Windows XP Service Pack 2) utilizes the no-execute page-protection (NX) processor feature as defined by AMD. In order to use the NX processor feature, the processor must be running in Physical Address Extension (PAE) mode. The 64-bit versions of Windows uses the NX processor feature on 64-bit extensions and certain values of the access rights page table entry (PTE) field on IPF processors.

It is hoped that future 32-bit and 64-bit processors will provide data execution prevention. Microsoft is addressing possible compatibility issues with existing applications and drivers while working with processor vendors to encourage the adoption and development of DEP technologies.

What unix/linux "execute" flag do you mean? Are you talking about this?
It seems to say that it works around a limitation of the x86 architecture, and while I think this is pretty clever, I think it makes more sense to do it with hardware protections instead of the workaround.

Read more about changes in SP2 here

Especially note that it gives IE pop-up blocking turned on by default!

Re:I didn't RTFA, but

[Mycroft_VIII]

Hmm, haven't really thought about it on modern processors, but going back a ways there were some clever uses of NOP on the 6510.
The obvious use is of course timing loops on older processors where the timing of every opcod was fixed, and no cache or multitude of busses between the processor and the ram/rom.
There were also tricks with spacing your code for self editing code and such.
I wish I could remember more but I know there where a LOT of cool uses for many of the 6510 opcodes, especially the undocumented ones. I remmber the Geos Operating system played just about every game imaginable in its copy-protection scheme including self modifying code with undocumented opcodes and missaligned sectors on the disk.

Mycroft

Re:I didn't RTFA, but

[OhHellWithIt]

I believe that the "NX" feature is found on "Big Iron" processors, and has been for quite some time.

And not just on Big Iron. Data General Eclipse minicomputer systems had a multi-layer protection scheme that prevented the buffer overflow trick from working. For that matter, I dimly recall that a series of Motorola processors had a hardware-level set of privileged instructions, which, if the OS took advantage of them, would prevent viruses from doing anything beyond what the end user could do.

Re:I didn't RTFA, but

[Directrix1]

So exactly how does this help anything when you take into consideration the fact that A BUFFER OVERFLOW WORKS BY OVERFLOWING THE BUFFER INTO EXECUTABLE CODE SPACE, and then the overwritten bytes in the segment already marked as code are executed upon subsequent function call?

Re:I didn't RTFA, but

[Jay+Carlson]

Microsoft certainly knows about NOP though...

So do I...

Jay Carlson nop@nop.com (what the hell, I can't get MORE spam, can I?)

Self-knowledge is always bad news.
:John Barth

Re:I didn't RTFA, but

[hesiod]

> what the hell, I can't get MORE spam, can I?

That's like saying "Matrix 3 CAN'T get worse than Matrix 2, can it?"

Re:I didn't RTFA, but

[eggnet]

If I'm not mistaken, a buffer overflow works by overflowing the stack and hopefully changing a pointer that existing code will use to jump to the location of the attacker's choice eventually. If you mark executable code pages read only and writable data pages non-executable, that attack becomes significantly more difficult. Don't know if that's what they're talking about here. OpenBSD does that already on x86.

Re:I didn't RTFA, but

[DaveLatham]

Looking at Google for "shell code" shows that it is used both ways.

The nessecity of security

While security is good the problem with these chips is less than obvious. Needing to get around these security chips will force many hackers to work on ways to hack things such as these, providing a wider base of security bypassing techniques. A better idea is to use something like bind (not to be confused with the BIND of DNS) that uses pseudo-randomization to keep hackers out

Why not

just limit the buffers? So they can't overflow.

No Execute?

So how do you turn on this feature? I'd love for "No Execute" to protect me from accidentally running Windows if I choose the wrong option in my dual-boot setup. Will NX be supported by Grub/Lilo?

So this excludes

[qrash]

...Windows running on these

Note to editors

The NX bit is not an 'antivirus' feature.

Re:Note to editors

[Just+Some+Guy]

It's a general anti-buffer-overrun feature (among other things) that patches some of the holes commonly used by viruses and worms to escalate privileges. That's very anti-virus, in that it will make it more difficult to write the critters. It is not exclusively useful for blocking viruses, but I don't think that anyone was making that argument.

Re:Note to editors

Viruses do not have to, and in most cases don't even try to obtain extra privileges. Page-level no-exec protection has nothing to do with viruses.

is this worth it?

[Sunda666]

Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!?
Why implement this at the hardware level, besides "making windows more secure"?

cheers.

Re:is this worth it?

[LostCluster]

Because any time you're allocating memory for yourself, the OS isn't quite sure just what you're going to put there. When it's assembly-written code, the OS really can't tell the difference between the load of more code and the load of data.

Besides, what if the buffer exploit is inside the operating system itself? Even Linux could fall victim to that kind of mistake. We've found that as long as bad code is distributed, somebody will still be running it long after the issue has been discovered and patched, and there's been worms to prove it.

Re:is this worth it?

[MonMotha]

It can be done in software (grsecurity does it on x86 in linux), but is much faster if done in hardware (and I believe linux makes use of it already on those archetectures which support it such as Alpha and UltraSparc).

There is significant overhead in doing it in software since you need to check the NX flag every time you bring up a page of code to execute. If it's done in hardware, you don't need to even do a context switch on many archetectures, and the hardware will just throw an exception if something bad happens (trying to execute code marked not executable), which the kernel will catch and handle (likely by segfaulting the offending process). Possibly remote root hole turns into a trivial DoS attack.

Re:is this worth it?

[AKAImBatman]

It wouldn't be a problem if OSes properly separated code and data segments. By marking it properly in the GDT or LDT, even an exploit in the kernel shouldn't allow arbitrary code to run. And if the write does continue into a code segment, a general protection fault should occur.

This NX thing sounds like just a bunch of hoopla to make Microsoft start doing their job. Unfortunately, I don't think Linux is much better. :-/

Re:is this worth it?

[Chester+K]

Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!?

Unless it's Palladium, the operating system doesn't care what's running in user space beyond what it needs to know about to ensure operational integrity. A buffer overflow in an application doesn't compromise the OS, it compromises the application -- and even if it wanted to, the OS likely wouldn't even be able to tell with any reliability that something illicit was happening in the process. The NX flag is a way of letting the OS know how to know if things go sour.

Re:is this worth it?

[e9th]

Unless it's a 'trusted' app. Find a hole in /usr/bin/su and you're home free.

Re:is this worth it?

[tedu]

do you think that read and write memory protections should be the responsibility of the operating system? how does the OS control the cpu if there's no way to tell it what and what not to do?

Re:is this worth it?

[Cuthalion]

Well, email viruses can still exist, though, since your email client has access to all the functionality needed to look through an addressbook and send mail out.

Re:is this worth it?

[MonMotha]

Well, memory you grab in Linux with malloc(...) and friends isn't *supposed* to be executable, though some applications (XFree86 comes to mind, amongst others, not to bash XFree86) think that it is.

This is why using NX and friends on Linux can break apps. Any application that loads code into memory it grabbed with malloc or similar will get killed when it tries to run code in that memory space (since that memory isn't supposed to be executable).

Now, there are ways around this of course. The proper way is to fix the application to either not use malloc for grabbing storage for things that are supposed to be executable or to include an option when calling malloc to say "yeah yeah, but I need to this to be executable too", though that sounds kinda hackish.

The way it's currently implemented with software implementations of NX are to provide a userspace tool to mark an application as "broken" or whatever and therefore exempt from NX checking. Silly and insecure, but it works.

Re:is this worth it?

[bluGill]

On Intel chips there is no way to tell the difference between memory that can be read, and memory that can be executed. That means your memory can be executed by any program that ca access it.. The only way around this is to mark the memory as not readable, and trap all accesses to it, and let only the ones that are reading the memory though. It would work, but your gigahertz computer would operate at about the speed of a 286 do to all the checking that needs to be done all the time.

Re:is this worth it?

[LostCluster]

Well, memory you grab in Linux with malloc(...) and friends isn't *supposed* to be executable, though some applications (XFree86 comes to mind, amongst others, not to bash XFree86) think that it is.

This is why using NX and friends on Linux can break apps. Any application that loads code into memory it grabbed with malloc or similar will get killed when it tries to run code in that memory space (since that memory isn't supposed to be executable).

There are plenty of dumbly-written Windows apps that have the same bad programming logic. Afterall, it takes bad programming to create a buffer flaw anyway.

The best thing to do would be to present an option to the user in the configuration of the operating system whether they want malloc reqests that not marked with an NX value to be presumed data, presummed executable, or just outright refused on the assumption that even a properly written program that's unaware of NX just isn't worth the risk.

Programming languages that have a Malloc function can simply implement Malloc with an optional parameter that's highly recommended, create a Malloc_NX or simmilar function, or simply pull the rug out from under the old Malloc syntax to force programmers to upgrade or die.

Re:is this worth it?

[AKAImBatman]

On Intel chips there is no way to tell the difference between memory that can be read, and memory that can be executed.

Incorrect. Read Section 3.2.3 "Multi-segment Model" of the "IA-32 Intel® Architecture Software Developer's Manual: Volume 3: System Programming Guide". It lists both data and code segments quite clearly. This stuff has been around since the 386 days.

Re:is this worth it?

[G-funk]

Bzt... LDT/GDT entries on the x86 don't have seperate read and execute bits, which I imagine is exactly what this NX flag is.

Re:is this worth it?

[AKAImBatman]

Yes, they do. Why does everyone insist that they don't? I was reading about the execute vs. data segments back in the days of 386s!

Here's the manual if you don't believe me.

Re:is this worth it?

[AKAImBatman]

Sorry, the actual table of flags is Section 3.4.3.1.

Re:is this worth it?

[G-funk]

Ok, you're right you got me. /me smack head

But what I meant to say was the page table entries don't have an execute bit, which is what I believe the NX flag is, for cases where the OS was designed with 4gb flat selectors for CS/DS. This would allow (with much less modification to applications/system) page-specific protection against execution.

Re:is this worth it?

[Rick+and+Roll]

OpenBSD supports AMD's decision to add the NX bit. OpenBSD has proven to be the most secure full-featured desktop/server operationg system.

'Nuff said.

Re:is this worth it?

[Chester+K]

Well, email viruses can still exist, though, since your email client has access to all the functionality needed to look through an addressbook and send mail out.

Exactly. And the OS has absolutely no way of knowing that a certain program (your email client) should not be sending email due to a certain condition (a script embedded in a message). Operating systems just don't have that much insight into the process's functionality -- and they shouldn't either. Imagine how big the kernel would have to be to implement detailed security rules for every type of application you might ever want to run on it!

NX is not a silver bullet to eliminate all exploits -- and not even Microsoft is trying to paint it as such. It is, however, a very effective solution for dealing with a very specific (and, in practice, common) type of exploit.

Re:is this worth it?

[makomk]

There are plenty of dumbly-written Windows apps that have the same bad programming logic. Afterall, it takes bad programming to create a buffer flaw anyway.

Actually, on Windows there is an official way to allocate meory that you want to execute code from - just call the VirtualAlloc() function with the right flags, and voila! (It can only alloctae whole pages, though)

Re:is this worth it?

[hesiod]

> (It can only alloctae whole pages, though)

I don't know if this makes a difference in any way, but this chip would set NX on whole pages as well.

I did RTFA

[magefile]

and it said it's supposed to prevent buffer overflows, and that some are being provided to MSFT for testing ... but WTF is NX, and HTF does it work?

Re:I did RTFA

[OverlordQ]

Like the name says, set's some memory/registers/ireallyhavenoclue to No Execute. What this does is not allow anything within to be execute, so even if somebody did a buffer overflow exploit, the shellcode/commands to run/etc couldn't get executed.

But then again, I know absolutely nothing so I may be completely wrong.

Re:I did RTFA

Basically, it's not necessary. It's just a stepping-stone to full DRMS, and another way for MS to throw a bone at their loyal hardware push... er um suppliers.

Re:I did RTFA

[LiquidCoooled]

But what if my buffer overflow overwrote code already marked as Execute?

This would then get executed exactly as before and we still have the problem?

Re:I did RTFA

[MBCook]

N o e X ecute.

It allows you to mark, in hardware, which pages of memory can and can not be exected from. The way it prevents buffer overflows is this:

Application sets up the buffer, and code expoits it to put it's own data into the buffer so it can be executed. But because the page of memory that was holding the buffer was marked NX, the processor won't EVER execute it, it will raise an exception.

So by using this you can make it nearly impossible to exploit buffer overflows in software. You'd have to find software that didn't set the bit. I can see no reason to do such a thing other than some kind of self modifying code buffer, and I would hope people would know better than that by now because if you implement that and let the user pass code, you're just ASKING for bugs.

Linux supports it, I think OpenBSD supports it (other BSDs probably too), Windows XP SP 2 is supposed to support it, I think Solaris supports it, and that's all I know off the top of my head (but that's all the major OSes anyways).

Re:I did RTFA

[AKAImBatman]

But what if my buffer overflow overwrote code already marked as Execute?

Then it would pass from a data segment into a code segment. If it passes into a code segment, the processor will throw a general protection fault. The OS will catch the General Protection Fault and kill the program. Keep in mind that standard mallocs should only be returning data segments of memory. So (in theory) the overflow can't be writing to execute memory.

Re:I did RTFA

[LiquidCoooled]

thanks

Certainly sounds reasonable, but I thought GPFs were when you tried accessing memory outside the application space, as long as you stay within your applications memory you were ok?

Re:I did RTFA

You shouldn't have executable addres space marked as writable too.

NX (otherwise known as a per-page X bit) is merely adding hardware to enforce the requirement that writable memory shall not be executed, and that executable code shall ever be written to, and in an efficient and non-hackish manner.

If you know what you're doing (heck, even if you don't) you can still mprotect() your entire address space RWX, but you have to ask for that. At least this way you have a fighting chance of not getting holed before you apply your patches. Now you just get to deal with much more lame DoS conditions as some service quietly dumps core.

Re:I did RTFA

[AKAImBatman]

Basically, yes. A GPF occurs when the data is written outside of the currently selected segment. A new segment selector is required to write to a different segment. An execute-only segment tells the processor that a request for a write segment is invalid.

Also, GPFs are "General" protection faults. The concept itself is not tremendously descriptive on what circumstances it's thrown. Under Unix, they referred to it as a "segment violation".

Re:I did RTFA

[damium]

But interperted code usualy can get by this little "feature" since the code is not executed directly and is located in a data segment, a buffer overflow can rewrite the data containing the code. Thus buffer overflows are still a big problem because many applications (web-browsers, email clients, etc.) contain script languages.

Re:I did RTFA

[bobbotron]

OpenBSD really really supports it :) I went to a talk by Theo de Raadt at bsdcan this weekend, and about half the talk was about how they integrated this stuff into OpenBSD. Very informative, they're doing really interesting security work.

Re:I did RTFA

[fingerfucker]

Going just a bit next level, doesn't the way NX violations will be handled (exception/fault/or whatever you wanna call it) create an ideal opportunity for a DoS attack?

Re:I did RTFA

In A.D. 2004
h4x0r attempts was beginning.

Kernel: What happen ?
CPU: Somebody set up us the buffer overrun.
App: We get NX Exception.
Kernel: What !
App: Core dump begin.
Kernel: It's you !!
H4x: How are you gentlemen !!
H4x: All your security are belong to us.
H4x: You are on the way to destruction.
Kernel: What you say !!
H4x: You have no chance to survive make your time.
H4x: Ha Ha Ha Ha ....
App: Kernel !!
Kernel: Enable every 'NX Page'!!
Kernel: You know what you doing.
Kernel: Move 'NX Page'.
Kernel: For great justice.

Re:I did RTFA

[makomk]

So by using this you can make it nearly impossible to exploit buffer overflows in software. You'd have to find software that didn't set the bit. I can see no reason to do such a thing other than some kind of self modifying code buffer, and I would hope people would know better than that by now because if you implement that and let the user pass code, you're just ASKING for bugs.

Actually, there is one good reason for wanting to be able to execute code you've written to memory - JIT complilers which convert intermediate code (such as Java) to machine code for faster execution

How is this different?

[AKAImBatman]

Ok, maybe I don't get this. How is this different from marking a block of memory as data, not code? The real problem is that certain OSes mark all memory as both code and data. Sure, it's easier on the bookkeeping, but it allows buffer overflows. If data was kept in data segments, and code was kept in code segment, the worst that would happen is a corrupted data segment, and/or a General Protection Fault.

Re:How is this different?

[RuneB]

The OS isn't the problem, most OSes already keep code and data is separate segments. The problem is the x86 chip, which has no separate execute permission bit for memory, and assumes that anything that's readable is also executable. This makes it hard to protect random pages on the x86. The no-exec patches for x86 use various tricks to try and work around this limitation, but it's still not as good as having a separate execute bit per page of memory.

Re:How is this different?

[Da+Fokka]

Not making the distinction at the OS level surely makes implementing script languages and virtual machines a whole lot easier.

Re:How is this different?

[pavon]

It isn't any different.

The problem is that there are historical and legitimate reasons for executing "data" and so OSs allow it. I remember in CS 121 when we had to write a just-in-time x86 assembler. We read in the assembly code and generated byte code into an array. Then we just cast the array (pointer) as a function (pointer) and called it, like any other function. There are other cases where self-modifying code is used. This was in linux, so it isn't a problem with just "certain" OS's.

Furthermore, I may be wrong here, but I don't think the original x86 had the capability of marking code as data or code, so if that was done it was all in the OS. So the NX flag allows for a more secure way of providing this feature. Now it isn't a majic cure. One exploit that it doesn't fix is that overflows can still write to a string in the data section, which are then passed to system calls. But it is a smart policy, and I agree that it should have been done years ago.

Re:How is this different?

[AKAImBatman]

I still don't get it. So you allocate a section for code. It's initially marked as a read/write data or code segment (001b or 101b). Once the code is loaded, you mark it 100b (execute only) and it's 100% protected until you reallocate it. What's the problem here?

My understanding is that the real issue has been supporting self-morphing code. Since a lot of legacy code liked this performance trick (especially games), all segments were marked as data and code.

Re:How is this different?

[AKAImBatman]

The problem is that there are historical and legitimate reasons for executing "data" and so OSs allow it.

Which is where the NX flag won't help. You *still* need a way of telling the OS whether a segment should be executable or not. What the OS should allow is to allocate a data segment for code loading. Once loaded, a special kernel method is called to switch it to execute-only. That would support JITs, and prevent buffer overflows.


Furthermore, I may be wrong here, but I don't think the original x86 had the capability of marking code as data or code, so if that was done it was all in the OS.

The 8086 instruction set had no concept of memory protection. However, the 80386 introduced a full protected memory mode that was later extended by the 80486. Of course, back then everyone put one entry into the GDT (0-end) and set it to executable and data. Worked great for video games. It wasn't until someone got the bright idea of creating a protected mode OS for the PC (WOW!) that segment protection was used. Of course, they STILL didn't segment data and code. *grumble*

Re:How is this different?

[NetCow]

It's not that difficult to get a second descriptor table entry mapping the same memory area but marked as data, not code. Voila, write.

Re:How is this different?

[RuneB]

The x86 only has two bits per page, Readable and Writable. You can't mark a page of memory as readable without marking it as being executable, they are the same thing on the x86.

The no-exec stack patches use a huge sldgehammer to try and work around this limitation. All code is moved to the very bottom of the 32-bit address space, and the code segment is limited in size (normally all segments can see the entire address space.) However, it is not always possible to do this flawlessly, and many programs don't tolerate it well.

Re:How is this different?

[AKAImBatman]

The x86 only has two bits per page, Readable and Writable. You can't mark a page of memory as readable without marking it as being executable, they are the same thing on the x86.

But that's my point. You shouldn't *need* to make code memory readable. Mark it as 100b, and make sure that the only register that references it is the Instruction Pointer. The processor will still get its instructions, and the OS will be safe and happy.

Maybe I'm just being dense here. :-/

Re:How is this different?

[YU+Nicks+NE+Way]

What you're suggesting is irrelevant to the discussion at hand. Being able to create execute-only segments is fine for code, but doesn't really work for the stack. A thread's stack must be readable and writable by the process, right. Therefore, on an x86, was required to be executable. Oops -- that means you can jump to an address on the stack and run code there.

Re:How is this different?

[RuneB]

Well, all executable memory has to also be readable on the x86. :)

Re:How is this different?

[AKAImBatman]

A thread's stack must be readable and writable by the process, right. Therefore, on an x86, was required to be executable. Oops -- that means you can jump to an address on the stack and run code there.

Parsing...

Ok, I think I've got you now. Correct me if I'm wrong though, but isn't that a problem with the way that Windows executable are directly mapped to memory? IIRC, the SP register takes a selector. That selector should be able to point to any location in the GDT or LDT table. Hmmm... let me check my notes...

Re:How is this different?

[achurch]

Maybe I'm just being dense here. :-/

To clarify--what the parent is saying is that x86 doesn't have an execute protection bit (at least up until this "NX" thing). Therefore, you can't mark pages execute-only; your only choices are read (and execute) only, write only, read (and execute) and write, or nothing at all.

In any case, you're missing the point of the original discussion, which is that being able to write to executable pages is what's bad, and the x86, lacking an execute protection bit, can't prevent overflowed buffers in data and stack areas from being executed. I'm not sure what you'd gain from marking executable areas unreadable, and you'd undoubtedly break lots of programs that keep constant data (strings, etc.) in code space.

Re:How is this different?

[YU+Nicks+NE+Way]

[I]sn't that a problem with the way that Windows executable are directly mapped to memory?

Nope, although it might seem that it would matter. (BTW: absolute mapping of critical OS entry points is enforced in most operating systems. Invoking the loader to relocate OS entry points breaks a lot of things...like the loader itself.)

In this case, though, that's a red herring. The jump in most buffer overruns is into the stack itself. The BO allows the attacker to overwrite the return pointer -- and the stack starts at a fixed address, so the attacker can compute the address to return to. Yes, you could move the stack's root around, but that only reduces the probability of success of a single instance of an attack. It doesn't prevent the attack in all cases. Most attackers are willing to try thousands of times to make an attack succeed if that's what is required.

(And, again, there's nothing special about Windows here. Linux and even OpenBSD make the same choice. As I said, the actual security benefit of moving the stack is very limited. The perf consequences, by contrast, are drastic.)

Re:How is this different?

[AKAImBatman]

As I said, the actual security benefit of moving the stack is very limited. The perf consequences, by contrast, are drastic.

Ding, ding, ding! I think I've got it. You're saying that the stack is set to point to a relative address so that the CPU doesn't have to use a long pointer to access the stack. Use of a shorter pointer improves performance drastically because the CPU is saving itself quite a few lookups and offset computations. Right?

Re:How is this different?

[AKAImBatman]

No, wait, I've got it now. The return pointer. Ouch, how could I be so blind? I forgot the fact that an interrupt or subroutine stores the pointer on the stack. The only problem I see is, shouldn't his data still be in a data segment? And if the data segment is not executable, he shouldn't be able to return to it, should he?

Re:How is this different?

[AKAImBatman]

That is NOT what my Pentium manual says. My pentium manual (Section 3.2.3: Multi-segment Model) shows that a segment type breaks up into four bits. The first bit is Data or Code. The second bit is expand-down or conforming. The third byte is read/write access. The fourth is some useless "Access" flag to tell you if it's been accessed since you cleared the flag.

The manual says that you can have an execute only segment as long as you load the executable constants into some other segment. (Or alternatively, map a data segment over the constant pool.) You can have it executable and read only, but you can't write to it without a data segment mapped over the same location.

Now what I'm saying, is that the OS should delete the data segment after it's done loading the code. That way, the only access will be via the IP register and (optionally) read only access of the constants pool.

Re:How is this different?

[AKAImBatman]

We seem to have split the thread.

Re:How is this different?

[AKAImBatman]

Offtopic, but how does your dtach program differ from the bash "disown" command? The only thing I see is that it looks like you can reattach to a detached program. I'm not sure if you can do that with the "disown" command. (I'm afraid I never had a reason to.)

Re:How is this different?

[AKAImBatman]

BTW, here's the manual if you don't believe me. Section 3.2.3, Multi-segment Model. Scroll down to Section 3.4.3.1 to see the table of types.

Re:How is this different?

[AnotherBlackHat]

The problem is the x86 chip, which has no separate execute permission bit for memory...

Maybe not the 8086, but the entire family after the 186 has seperate CS and DS registers, and read and write protection on blocks.

On the 386 and later, it should be possible to put code in a seperate, unwriteable memory block, and limit the range of the CS to that block, and that block alone.

-- not a .sig

Re:How is this different?

[AKAImBatman]

Thank God! Another person who has actually READ the Intel Manuals!

Re:How is this different?

[RuneB]

Right, this segment-level protection is what the various no-execute patches do for x86. It isn't as easy to use as it looks, though, and there can only be one code segment at a time.

Modern OSes set up the code, data, and stack segments to point to the same region of memory, and programs expect to be able to access the entire 32-bit address space without needing special kinds of pointers (aka the joys of near, far, and huge pointers in old DOS programs.)

Thus, the only practical way to make the code segment non-executable is to try and move all code to the bottom of memory, and basically prevent the rest of the 32-bit address range from ever being executable. Many programs don't work under this restriction (such as programs that dynamically load or create code at runtime.)

What people are talking about here is the ability to mark any page in memory as being non-executable, which allows the OS to avoid using a huge sledgehammer to fix the problem.

Re:How is this different?

[RuneB]

Yes, reattaching to a running program is the primary function of dtach. You are not able to do that with the disown command. dtach also lets you attach multiple times to the same program.

Re:How is this different?

[AKAImBatman]

Fair enough. But that means that I'm correct in assuming that it's really a problem with Windows as opposed to a flaw in the x86 architecture. Obviously, it was very easy for Windows to simply memory map the executable instead of parsing and loading it. But that same decision is what has gotten us into the mess.

If Microsoft needs a new executable format, they should develop it. (Or just use ELF like everyone else.) However, I think they're a little too focused on the CLR right now to pay much attention to memory segmentation issues.

It isn't as easy to use as it looks, though, and there can only be one code segment at a time.

I assume you mean that there can only be one segment the CS register points to at a time, right? The processor still shouldn't let code write to a segment marked as execute only. And since the x86 processor uses segment selectors, it should be an easy rule to enforce.

JIT compiled code can be handled by creating both a data segment and code segment that point to the same address, writing the compiled code, then deleting the data segment. The remaining code segment should be well protected then. For more dynamic code, you can leave the data segment, but then you have to be careful that the segment selectors don't end up where they shouldn't be. One wrong pop off the stack and POW!, you're executing an overflowed buffer.

Don't get me wrong. The x86 is not that great of an architecture. When their own manual states that use of the task switching instructions is not recommended, you know that something is wrong. I just hate to see people claiming things about it that simply aren't true.

Re:How is this different?

[YU+Nicks+NE+Way]

The standard attack returns into the stack, not the heap. Now, stacks are page-based (they need to be paged in and out along with the threads they represent.) On x86 architectures, discrete execute protection is offered for sections, but not for pages.

Re:How is this different?

[Pogue+Mahone]

The main problem is not stopping your code from being overwritten, but stopping your data from being executed. Many (most? all?) buffer overrun expliots use the fact that arbitrary data can be written to the stack. So you overwrite the return address to make it return to somewhere in the stack, which you've also overwritten to contain a short stub program that lets the main exploit in.

Of course, real processors (powerpc, sparc etc.) have had this feature for years.

Re:How is this different?

If you check the hardware references of the x86, you'll find that there actually already was an execute bit since the 80286 (1982 ad), but on segment level.
The cause of the problem is the memory model. By combining code, data and stack to one (flat) segment, any byte in the process' address space can be code _and_ data.
Two ways to solve this problem; adding this bit to page level, or, use a different memory model.

How well will this work against VBScript viruses?

[netsharc]

Because, VBScript viruses come as source-code, and the script engine reads it and executes the functions that the commands want.

Or .exe attachments, I bet they will still work when the hapless user double-clicks on them.

Or ActiveX holes.. well this would be harder to exploit with the NX feature..

No execute?

Isn't that a feature of windows? As in when it issues a no execute when you try to run an executable then BSODs.

uh...

[wastedimage]

Call me crazy but who wants microsoft software to have anymore to do with their bios..Watch, within a month or two "a virus protection feature" will become an antipiracy/linux feature..

Not to mention the linux people will have to start on a new bluescreen screensaver...

So simple, we might as well do it.

[LostCluster]

Just so we're clear here... NX isn't any sort of DRM technology.

It's a pretty smart idea, moving the core concept of "file permissions" into the RAM addressing space. Simply put, if the chip has been told that a certain area of memory has been marked "No eXecute", and then the execution point somehow gets there, an error event is raised to the operating system and that process is killed.

Basically, it's an unreliable but better-than-nothing safety backstop behind unchecked buffers. If somebody manages to exploit a buffer overflow, there's a semi-random chance that the virus code might just crash into being allocated into another area marked NX, and when the execution point gets there the underlying application starts to crash.

Of course, any memory space intended for data and not code should be marked NX... are people going to be smart enough to actually do that when on hardward that supports it? Let's hope so... it'll at least limit the spread of worms.

Re:So simple, we might as well do it.

[steveha]

Basically, it's an unreliable but better-than-nothing safety backstop behind unchecked buffers. If somebody manages to exploit a buffer overflow, there's a semi-random chance that the virus code might just crash into being allocated into another area marked NX, and when the execution point gets there the underlying application starts to crash.

Oh, it's a bit better than that. I believe most buffer overrun exploits put code into the buffer overrun. If the buffer is allocated on the stack, and the buffer and the whole stack are non-execute, then the exploit code can't run.

If the buffer overrun cannot put in a code stub, then the best it can hope to do is to overwrite the stack data to send execution somewhere else. If you can do that right, you might have a local root exploit: you might be able to get the code to run a root shell for you or something.

But as far as I know, setting NX on all your variables and stack space would stop all the buffer overrun remote root attacks.

steveha

Re:So simple, we might as well do it.

[Cecil]

I am pretty sure you are wrong. A buffer overrun is a way of putting data PAST the end of your variable (which would be marked NX in your hypothetical scenario) into an about-to-be-executed chunk memory.

By definition, this about-to-be-executed memory has to NOT be marked NX, or the program could not execute its jump, and would have no way of meandering its way out of the function and back up the stack.

NX may be useful, but it won't end buffer overruns. There are only really two ways to do that: strn* or a better programming language.

Re:So simple, we might as well do it.

[Monkelectric]

into an about-to-be-executed chunk memory.

he was exactly right, you are a little right, but much less right then him :) Buffer Overflows work by overwriting the stack, then when the "return" portion of the return/call pair in the asm code that executes functions tries to get the return address from the stack, it has been overwritten and control is vectored to the new code sent to the stack, not the correct return address. An inability to execute code on the stack would stop buffer overflows from executing by crashing the program with some kind of protection fault, which would generally be preferable to being o3ned :)

Re:So simple, we might as well do it.

[csirac]

By definition, this about-to-be-executed memory has to NOT be marked NX, or the program could not execute its jump, and would have no way of meandering its way out of the function and back up the stack.

Actually I think he's right. I'm not familiar with x86 ASM, but on other CPUs a stack is a stack... if you can modify the stack, you can make an RTS in the existing code pull a bogus return address off the stack.

If I understand it correctly (I probably don't), stack space would almost always be marked NX anyway. So although we can still change program flow, the real trick is that we can't use memory allocated as stack space to hold the malicious code we want to run. We would have to find or allocate some non-NX memory for that.

Re:So simple, we might as well do it.

[steveha]

A buffer overrun is a way of putting data PAST the end of your variable (which would be marked NX in your hypothetical scenario) into an about-to-be-executed chunk memory.

That could be true, if the buffer were placed right before an executable chunk. But it never is. Variables are allocated on the stack, not in code space. Heap memory is often allocated near the stack, but again not in code space.

When a program calls a function, it stashes a return address on the stack. This address specifies where execution should resume after the function returns. If an exploit can overrun the stack, the exploit overruns this return address! So an exploit will fill a buffer, run off the end of the buffer, put an address on the stack right where it overwrites the return address of the current function, and possibly then overrun some more. If there is a function embedded in the overrun (either on top of the buffer, or after the return address) the address of that function is used to overwrite the return address. So when the function returns, that function runs. A small amount of code can act as a bootstrap loader that loads the rest of the exploit.

Here's a primer on how to write a basic stack smashing local root attack. I just found this with Google.

http://community.core-sdi.com/~juliano/htce.txt

Here's the text of a comment from the sample code:

filling up the end of the buffer with our shellcode which will be executed on the stack after the bof

Emphasis added by me. "executed on the stack"... in other words, this exploit would not work if the stack were marked NX, like I said.

Can you find me an article about how to execute a stack-smashing attack, where the exploit actually blows past the end of the stack or the heap and somehow winds up in normal code space? I have never heard of any such. Can you find even one example of the technique as you describe it?

steveha

Re:So simple, we might as well do it.

[YU+Nicks+NE+Way]

There are such attacks, but they are extremely subtle. Basically, instead of jumping to their own code on the stack, they write a different overflow which patches in a call to exec(). (Unix only, but on a Windows box, ShellExec will do just as well.) Hey presto, direct shell.

Re:So simple, we might as well do it.

[steveha]

But that's not what the OP said. He said that stack smashing attacks write past the stack, back into code space, so an NX protected stack won't save you. I said I've never heard of that.

In my original comment, I said:

If the buffer overrun cannot put in a code stub, then the best it can hope to do is to overwrite the stack data to send execution somewhere else. If you can do that right, you might have a local root exploit: you might be able to get the code to run a root shell for you or something.

Your "direct shell" attack is an example of this.

steveha

Re:So simple, we might as well do it.

[steveha]

Here's an even better tutorial on how to do buffer overrun attacks:

http://community.core-sdi.com/~juliano/exploit_tut orial.txt

steveha

Re:So simple, we might as well do it.

[mpe]

Basically, it's an unreliable but better-than-nothing safety backstop behind unchecked buffers. If somebody manages to exploit a buffer overflow, there's a semi-random chance that the virus code might just crash into being allocated into another area marked NX, and when the execution point gets there the underlying application starts to crash.

It is a lot easier for the virus writer to predict what will happen in a "binary monoculture". e.g. carefully crafting the attack so that it will hook into pre-existing code.

Of course, any memory space intended for data and not code should be marked NX... are people going to be smart enough to actually do that when on hardward that supports it?

Probably not when it is the same programmers who can't even understand file permissions and OS privileges.

Re:So simple, we might as well do it.

[hummassa]

unless you just adjust the stack with proper parameters and set the return address to something you know is in real code space and will work with said parameters.... mmm....

DRM?

[NETHED]

Yes, I RTFA, but can this be used as a DRM measure? If a piece of software is unsigned (as determined by the OS), the processor can be instructed to not execute. Someone smarter than me explain this.

Re:DRM?

[MonMotha]

As long as you still have access to "supervisor mode" on your processor (the context the kernel runs in), you'll be able to set the NX flag however you like. Basically, this means that without other measures to prevent you from loading kernel code, all this does is prevent buffer overflows in userland software (and possibly the kernel if the kernel decides to use it, which is probably a good thing).

Now, this isn't to say anything about other mechanisms which would prevent you from loading your own code onto a processor (which is what most of Microsoft's proposed DRM schemes do), but it could close off an avenue of bypassing that DRM (via poorly coded "trusted" software).

Expect intel to make a counter to this...

[User+956]

Just like Intel developed and implemented the Centrino spec which surrounds and supports the low-power Pentium M in order to compete in the wireless/ultraportable arena with products incorporating the Crusoe and the Efficieon, you can expect they'll have something up their sleeves with regards to this. I mean, it's not like they're just sittin' alone in their parents' basement watching Buffy reruns, and spanking it to naked Portman pictures.

Re:Expect intel to make a counter to this...

[jbuhler]

Thank you, Captain Obvious.

Re:Expect intel to make a counter to this...

[MBCook]

This is a counter to AMD adding NX to the Opteron/Athlon64 line of chips. Intel already countered that by announcing that it would have NX on it's chips (which it calls NE or ND or something) a few days ago.

Either way, it's nice to see everyone supporting this. Definatly seems like good technology to me.

Re:Expect intel to make a counter to this...

[Glasswire]

Intel already implements something similar in Itanium. Extended 32-bit architectures get it next.

Re:Expect intel to make a counter to this...

[Rick+and+Roll]

According to the reg, Intel will be calling it XD. I couldn't find anything about it on Intel's website. It is incredibly stupid, though. What a bunch of moronic jackasses, that refuse to give anyone else any credit for innovations in microprocessors.

I am typing this on what will likely be my last Intel system. Intel can bite my ass.

XP SP2 adds NX support

[Barlo_Mung_42]

I know you were attempting a joke. But to bring it back on topic:
http://www.microsoft.com/technet/prodtechn ol/winxp pro/maintain/sp2chngs.mspx

Re:XP SP2 adds NX support

Informitive?

We're sorry, but there is no Microsoft.com Web page matching your entry. It is possible that you typed the address incorrectly, or that the page no longer exists. You may wish to try another entry or to use the links below, which we hope will help provide you with the information you need.

Re:XP SP2 adds NX support

[tedu]

type it in without the space.

Anti-virus?

[__aagctu1952]

How exactly is this an anti-virus feature? Anti-buffer-overflow, yes. Anti-worm... well, maybe, but it'd be a bit of a stretch (anti-worm-based-on-buffer-overflow rather). Anti-virus? Hell no.

I just love tech journalism...

Re:Anti-virus?

[26199]

Easy. It will give Windows a file system "executable" bit, you know, the one which other operating systems have had for decades, then alter all the software that's already out there to use it.

It's a very clever piece of engineering.

Re:Anti-virus?

[MBCook]

What about viruses that attach themselves to the end of things like Word files. Now I'm talking real viruses (not Macro viruses) that use x86 code. By marking the area of memory the Word file is loaded into with the NX bit, no error in the file format or otherwise could ever be exploited to allow running of that code because the CPU would catch it and throw an exception.

It won't help people who open a program they think let's them download free porn but is actually a virus, but it could help stop viruses that exploit problems with how files are handled by programs that attach their code somewhere in the file data.

Re:Anti-virus?

[krumms]

Think self-modifying code. If you make it so that viruses can't change themselves in-memory, you've just made polymorphic viruses a whole lot more difficult.

Unfortunately this means other, legitimate self-modifying code may also have issues ...

Re:Anti-virus?

[makomk]

Think self-modifying code. If you make it so that viruses can't change themselves in-memory, you've just made polymorphic viruses a whole lot more difficult.

IANA virus writer, but I don't think polymorphic viruses modify the copy in memory - I think they just infect programs with a modfied version

Re:Anti-virus?

[mosschops]

Unfortunately this means other, legitimate self-modifying code may also have issues ..

We've already updated our software to handle this... It just requires allocating any self-modifying blocks with VirtualAlloc() instead of using a regular heap block, telling it the block is read/write/execute, and ideally removing the write ability if the block is static from that point on. You can even use VirtualProtect() to alter the page protection on existing blocks, which could be used to enable execution on the heap area (nasty hack!)

See the MSDN article for more details.

OpenBSD

I hope they consider sending one to the OpenBSD project -- considering OpenBSD has been sort of a pioneer in this kind of buffer-overflow protection (the first and only OS so far to include it by default, and have done so for about 1.5 years now).
It would seem like a logical (and swell) thing for Transmeta to do

OpenBSD W^X

[mph]

Doesn't OpenBSD already provide this functionality, on existing i386 processors?

Re:OpenBSD W^X

[CTho9305]

Yes, but it's using segments, which are separate from regular virtual memory and paging. This will be easier for OS developers to use, and will be cross platform (at least with other architectures that support NX... sparc, etc). Segments are an x86-only feature.

Re:How well will this work against VBScript viruse

Because, VBScript viruses come as source-code, and the script engine reads it and executes the functions that the commands want.

Or .exe attachments, I bet they will still work when the hapless user double-clicks on them.

Short answer, it won't.

Let me guess...

[mikeophile]

The "no execute" function is a subset of a call from a governor.

Re:Let me guess...

When Governor's Location!=Texas

Re:Let me guess...

Could you do something for me? Ask your wife to say hello to BSD. You know, when she's dead.

Re:Let me guess...

You're still married? I heard you divorced. I guess she couldn't wait for the 'till death do you part' stuff.

compiled

[Stevyn]

doesn't this required the software to be rewritten to use it? I think it would make much more sense if NX were replaced with something in the os that didn't automatically allow software to be installed by clicking "OK" on some web page. Even though it's annoying to have to type in the root password constantly in Linux, it's a hell of a lot easier than reformatting and reinstalling as I've done for too many people. Even if the computer is operated by one user, this requirement of the root password still makes them more aware that something is about to modify their system. Those activeX dialog boxes in IE make it seem like gator is a new and exciting feature and that's why people install it so much.

Re:compiled

[getnate]

I am pretty sure you dont need to recompile code to use NX, the OS allocates stack space to your program and hence knows what data to flag as NX. Now, if your program executes code on the stack by design, then you will have a problem. Nate

Failure ?

[polyp2000]

Transmeta To Add 'NX' Antivirus Feature To Forthcoming Chips?

Is it me or does this sound like a tremendous failure on the part of operating system vendors, in that this has to be implemented in hardware?

Im sure its more secure but hell, I think this could in the end lead to more complacency in software design. "No need to bother writing secure code cus new chips will have NX technology?" I personally dont even think this will be enough when it comes to the track record of Microsoft anyway.

nick ...

Re:Failure ?

It's sort of the "security in layers" idea... Of course you shouldn't allow buffer overflows in your code, but it does happen (that's the "nobody's perfect" idea :) ) So now, when a programmer misses something, the hardware is there to help out.

Re:Failure ?

[bersl2]

"No need to bother writing secure code cus new chips will have NX technology?"

I don't think that this segment of the programming population falls into those kind of pitfalls very often.

I know at least one other post called it a "fallback" measure, which sounds about right. It's a third line of defense against buffer overflows and the like (the first being good programming practices, the second being things like libsafe).

Sure, it is also helpful towards Microsoft; I can see how it restricts circumvention of DRM. But there are always other ways around. If you overflow into a buffer not protected by NX, you still have arbitrary code execution on your hands.

Of course, this is just what I get from the other posts and intuition. It's not like I RTFA or anything...

Re:Failure ?

[hchaos]

Is it me or does this sound like a tremendous failure on the part of operating system vendors, in that this has to be implemented in hardware?

It's just you. The reality is that there is a tremendous failure on the part of the hardware vendors that would require this to be done in software.

Here's why:

• To implement this in the OS requires that the OS look up the value of the instruction pointer in an NX table every time it changes pages (assuming that the NX flag operates on a page basis), which would add several clock cycles to every JMP/JR/CALL instruction, and would significantly decrease performance.
• If a basic feature such as this one needs to be implemented by every operating system, it makes more sense to implement it via hardware (the applicable cliche being "Don't reinvent the wheel").

Im sure its more secure but hell, I think this could in the end lead to more complacency in software design. "No need to bother writing secure code cus new chips will have NX technology?"

Alternatively, if resources don't have to be dedicated to fixing this problem, those resources can be devoted to fixing other problems. This argument is a little like the argument that, if I want to lose weight, I shouldn't exersize, because I might become complacent about what I eat.

Re:Failure ?

[bergeron76]

The parent post is actually one of the most insightful posts that I've read on /. as of late.

The very fact that DRM "consumes valuable resources" and doesn't provide an IMMEDIATE payoff will, by definition, lead to the corporate worlds de-railment of it. The corporate world has a nasty habit of wanting PERFORMANCE AND PROTECTION while simultaneously subverting "valid" methods of attaining this goal (ie: Clean, Secure, and Safe code, etc). Most corporations want more, but aren't willing to pay for it. As a result, they have no choice but to assault our basic consumer rights (and civil liberties) via their lobbyists in Washington.

Your post hits the nail on the head - much like digital music, the GENIE is out of the bottle. DRM could fail because it will require a performance hit that the corporate world probably isn't willing to take.

Still useful

[bcore]

Malicious VBScript and unsafe .exe files are pretty easy to avoid in the first place though. Where this would come in handy is for things like maliciously crafted data files that exploit buffer overruns in software, and service exploits like the ones used by Sasser and other internet worms..

Re:How well will this work against VBScript viruse

Or ActiveX holes.. well this would be harder to exploit with the NX feature..

Oh come on, why did you say that? You act like you know what you are talking about, but clearly don't. This is all about buffer overflows, not viruses. Sure, the editors don't have a clue either, but thats no excuse.

If you don't know what an article is about, just don't post. And to the people who moderated this up, shame on you!

Re:How well will this work against VBScript viruse

[LostCluster]

It won't. So long as the user insists on granting run permission to something they shouldn't run, it's gonna run.

This only works when the problem is when something is trying to apply the buffer exploit way of taking over the execution point.

Still... just because it doesn't cure cancer is no reason to throw out a cure for the common cold.

Does Transmeta have a future?

[mst76]

It's common knowledge that their older Crusoe processors had rather unimpressive performance. They had a small niche in energy-efficient computing, but even there they didn't appear much better than the ULV Tualatin mobile-P3s to me. Recently I read some claims that their new Efficeon would perform almost on P-M levels. But the first real benchmarks I found tells a complete different story. From the conclusion:

Unfortunately, the efficeon is a staggering failure by nearly every measure.

Performance is unambiguously lackluster. In fact, efficeon is only slightly faster than Crusoe. If it weren't for the other Transmeta products and the 366MHz AMD Geode, thrown in for comic relief, the Crusoe would be dead last even when compared to the miniscule VIA C3.

Given this, is there any hope left for the company?

Re:Does Transmeta have a future?

B..But Linus Torvalds works for Transmeta, so we HAVE to support them no matter how pathetic and lackluster their product line is. Sir, why do you hate open source so much?

Re:Does Transmeta have a future?

Linus left Transmeta a while ago so now we can diss them all we want.

Re:Does Transmeta have a future?

ok Transmeta does get a bit hurt by these benchmarks that these hardware companies post, but Guys, correct me if I am wrong, but isn't the whole beauty behind Transmeta's technology the fact that the processor emulates the instruction set?? meaning it can be x86, RISC, etc?....and a small tradeoff in speed is a major leap forward in architecture independence?

Re:Does Transmeta have a future?

[MrScience]

Not only that... but weren't their chips supposed to be morphable? I mean, I would have thought htis NX this was right up their alley. "Download this patch, and our dynamic chip will now support No-Execute flags."

What happened?

why no NX on IA-32?

[jonwil]

Why hasnt intel or AMD added NX to IA-32?

Re:why no NX on IA-32?

IA32 is dead.

Re:why no NX on IA-32?

[DA-MAN]

As I understand it, the IA-32 architecture does not support NX. I don't think you could just tack it on as an afterthought and have it work.

There are some kernel patches such as grsecurity which do emulate this functionality in the kernel, but that brings performance down.

x86 can not do that

[r00t]

You don't get the three rwx bits on x86. You only
get three states:

1. rwx
2. r-x
3. ---

That's it. With the NX feature, you also get:

4. rw-
5. r--

The OS is stuck mapping your desired permission
bits to what the hardware offers.

Self-modifying code causes trouble when you
enable the NX feature for old binaries. There
are ways to work around this, by marking your
executables as NX-compatible or not.

I don't understand

[gerardrj]

Granted, I haven't really paid much attention or done any research on this no-execute flag, but it seems to operate within the data structures of a program such that you can flag a structure, memory block or references to it as non-executable.

If that's the case they how effective can this really be at stopping buffer overflow attacks, we still need to rely on the programmers to tag every data structure as non executable (and that isn't easy). We're talking about the same programmers who don't validate input data or put limits on it.

So basically, fixing a human problem in hardware is no solution. no?

Or is it that by default, nothing is executable unless you specifically tag it to be, so that the system by default won't run anything it loads?

Re:I don't understand

[spacefrog]

Simple, in most cases this should be able to be handled at the compiler level.

I suppose (and this is 100% hypothetical) that there might be very rare situations where the programmer will need to be able to override, but so be it.

Re:I don't understand

The OS already knows what parts are executable and what parts are data. The OS can tag them when the program is loaded. Then it would be enforced by the hardware.

No recompiling necessary but your OS must support NX flagging.

Re:I don't understand

[irix]

You will have to rely on the programmers of your O/S - they take care of it. This is a fix for a specific kind of buffer overflow, and something that has been present on some non-x86 architectures (Sparc, Alpha) for some time.

This is primarily used to stop 'stack smashing' buffer overflows where the the inital code that is executed is part of the overflowed buffer on the stack. Read this and imagine that you can't execute the shellcode that you have placed on to stack memory via the overflow.

Re:I don't understand

[gerardrj]

But my point is there are checks that can be performed currently that would avoid these stack smashes. If I can't rely on the programmers to do those checks now, why should I rely on them to properly set this NX bit where and when needed?

Re:I don't understand

[bunnyman]

Granted, I haven't really paid much attention or done any research on this no-execute flag, but it seems to operate within the data structures of a program such that you can flag a structure, memory block or references to it as non-executable.

No.

All memory with data is marked as NX automatically by the compiler. The programmer does not do a thing. Only memory with actual code is executable, and it is marked as read-only so it won't be corrupted. This guarantees that the CPU will only execute code that is legitmately part of the program, and never code that is part of a buffer overflow attack.

Re:I don't understand

[gerardrj]

So self modifying code is no longer an option? Once a program is loaded from disk, the executable can not change?

How does the compiler know for certain what is code and what is data in today's extremely complex programming environments. This "automatically" stuff has proven to be quite unreliable in the past.

What happens when data overflows the boundary in to executable program space, does the data outside the "safe" area then become executable? Isn't that the problem they were attempting to solve?

Re:I don't understand

[Rick+and+Roll]

Well, the whole point of the NX bit is to allow the people who already write this code to express their demand in a way that can be better enforced, and is also simpler and more convenient. The people you are talking about, that already figured out another way to prevent stack smashes, clamoured for this. OpenBSD already uses this hardware-level functionality on architectures where it is available.

Re:I don't understand

[bunnyman]

Self-modifying code is a thing of the past, a hack to try deal with not having virtual memory. There is no reason to modify code in memory anymore. The read-only bit and the no-execute bit are two separate bits; one does not imply the other.

In fact, self-modifying code isn't always allowed, or if it is, then then processor has to reload the i-cache. Some CPUs have an instruction cache separate from the data cache, and self-modifying code complicates this situation.

The compiler knows what is code simply because it is the job of the compiler to create that code. That's what compilers do. The executable file format (on Linux it is called ELF, for Win32 it is COFF) has sections that are marked code or data (along with other types for debugging, linking, or other information). These have always been there, it has nothing to do with the NX flag.

For things like the JVM or .NET runtime, where code is generated on-the-fly, the memory can be specifically marked by the JIT as execute-allowed. On unix, this is done by calling mprotect() and on Win32 by calling VirtualProtect()

If a data buffer overflows, it is unlikely that it would overwrite the code, as they are separated in memory. The way a buffer overflow attack works is that machine code is input into a buffer, which is located on the stack. Also on the stack is the return address, which is supposed to be the address of the code that called the currently running code. By writing past the end of the buffer, this address can be changed to the address of the code in that buffer. When the code returns, it goes to that address and executes code in that buffer. If the stack is marked NX, then the code doesn't execute, and the program crashes. It is better to have a crash than to run the bad guys' code.

Re:I don't understand

[irix]

If I can't rely on the programmers to do those checks now, why should I rely on them to properly set this NX bit where and when needed?

Currently you have to rely on every idiot with a text editor and a compiler not to do something stupid like strcpy() dynamic data into a fixed size buffer on the stack. We are talking millions of programmers, and inevitably there are mistakes.

With the NX flag, you have to rely on a few dozen people implementing your O/S to make this work correctly with the stack. It isn't terribly complex, and it is only implemented in one place so it is easy to test. After that the idiots with the text editors and compilers can leave open as many stack overflows as they like and it won't lead to an exploit.

Would you rather rely anyone off the street who can afford "C for dummies" or the handful of people who develop the memory management code for your operating system?

Haven't Intel processors had this for YEARS?

[callipygian-showsyst]

IIRC, from the original '386 architechture forward, a segment can be marked as data or execute. For example, see this reference

I wonder why Intel is unable to use this functionality in conjunction with the current version of Windows to prevent introducing executable code via stack overflows?

Re:Haven't Intel processors had this for YEARS?

[getnate]

That reference does not mention marking something as NOT execute. I think the document does not go into enought detail in permissions. I saw a mention above and someone wrote that if the CPU could read the data, it could execute it. If that is correct then setting data/read-only on a segment does not preculde it execution. -Nate

Re:Haven't Intel processors had this for YEARS?

I've had the same confusion as you; the document you reference agrees with what I recall from the I386 book I read years ago, and contradicts what people are saying above about only r/w access bits...

The only caveat I can think of, is that _maybe_ this new NX bit operates at a page level rather than a segment level. It may not be too uncommon to just let code,data,stack reside in one big, overlapped segment and rely on pages for memory management instead. Not good design, perhaps, but convenient sometimes.

But, I haven't needed to touch x86 assembly since I stopped using (real-mode) DOS, years ago. I gave up on trying protected mode after a week of writing code that did nothing but hang my computer.

Re:Haven't Intel processors had this for YEARS?

Yes, the x86 architecture specifies segment permissions for code-only, code-data (read only), or data-only (read-write).

Unfortunately, operating systems didn't like manipulating segments, so they started using
"flat" segments, sized to the full 4GB of 32-bit space, without any of the protection features offered.

This was part of "protected mode", back from 386 days, circa 1985.

These days, every operating systems uses vitual memory paging attributes, which do have read-only or read-write and user/supervisor permissions, but no execute-only.

So now we add it back in! (AMD, Intel, and Transmeta are implementing the same standard, and it's so simple that it's not worth arguing over who invented it or came out with it first.)

Linky

[M.C.+Hampster]

http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2chngs.mspx

ok, i see part of this...

[ecalkin]

nx is a flag on a page (or block) of memory that indicates to the processor that i shouldn't be executed (page address not loaded into the ip?)

i can see that this would help catch some programming errors in a similar fashion to marking page 0 as read only (this catches all the bad offset references and unassigned pointer references). of course this would only really work if your compiler marked memory nx in a proper fashion.

i can see how this might help prevent buffer overflow attacks (worms), except that code should be marked read-only anyway... i'm kinda iffy on this.

but how in the world is this going to do anything to prevent a viral attack?

eric

Re:ok, i see part of this...

[miu]

but how in the world is this going to do anything to prevent a viral attack?

Some users don't run an account with admin privileges full time, this NX bit helps prevent a trojan or virus from using IPC to the local machine to escalate its privs.

Users do not think of worms and viruses as being different things. Since this NX bit removes remote buffer overflows as an attack vector for worms that qualifies as an anti-virus feature as far as marketing is concerned.

OpenBSD W^X is weaker

[r00t]

OpenBSD is taking advantage of an old x86 feature.
On the i386, you can place an upper limit on the
memory addresses that are executable. You can't
pick and choose which parts of memory are executable
with this; all you can do is divide memory into
two parts and get no-execute on one of those parts.

OpenBSD can try to place pages of code low and all
other pages high, in order to maximize the amount
of memory with no-execute protection. The protection
gets lost if you simply mark just one high-address
page executable. With NX, you can keep protection
on all the other pages.

Re:OpenBSD W^X is weaker

It isn't true to say W^X is weaker -- only the i386 (and PPC) versions are *weaker* because the chip doesn't have the ability to protect individual pages. On architectures with this feature, OpenBSD takes full advantage.

Data General & the obscure Motorola 88000-seri

[mosel-saar-ruwer]

Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!? Why implement this at the hardware level, besides "making windows more secure"?

Everyone and his brother has heard of the old Motorola 68000 series [it powered the old Macs, and Jobs used the 68040 to power his NeXTSTATIONs and NeXTCUBEs], but Motorola had a very obscure successor to the 68000-series, called the 88000-series, which had a non-von Neumannian Harvard architecture, i.e. it separated the machine code and the data code into two separate physical locations.

Data General built some old multi-processing AViiONs on 88000-series hardware in the late eighties/early nineties time frame; every so often you'll see one for sale on eBay.

Just goes to show that technological leadership is never any guarantee of marketplace leadership - x86 hardware is only now getting some of the features that Data General and Motorola were peddling [without much success] about fifteen years ago.

PS: A number of the guys at Data General who had worked on the gcc 88000-series port ended up over at Red Hat & Cygwin.

NX - Nitrous Express?!?!

[sickmtbnutcase]

Man, these chips are gonna fly...till the bottle runs empty. Oh, wait, I should go read first.

Re:How well will this work against VBScript viruse

[Deraj+DeZine]

Transmeta has cured the common cold? I believe a Nobel Prize is in order!

WTF

why do people get to have such long urls for their homepage with no space to break it up. page wideners suck.

Linus at Microsoft?

> Transmeta will provide advance versions of
> Efficeon-based systems with NX support to
> Microsoft for testing. Hope Linus get a few too,
> even if he's no longer working there.

Linus works at Microsoft? Since when?

Re:Linus at Microsoft?

[tmillard]

Did you see a period?

mod parent down

[krumms]

NX is not an instruction, it's a flag. Think in terms of the Evil Bit. A boolean value saying "No, this bit of data is not executable".

Has nothing at all to do with instructions, except that you can't execute instructions in a data segment with the NX bit set.

Re:mod parent down

[Too+Much+Noise]

Actually, it's per page, not per segment. Segments had an exec flag from 32bit day one and this was the card Intel hoped people would play[*]; they were mostly wrong though, the segment-level protection did not get used so much.

[*] there are several such examples of stuff in the hardware that never got used on x86 - full use of privilege level granularity comes to mind; afair one of the reasons invoked against all these goodies Intel came with was portability.

Transmeta hired Babayan's student instead of him..

[hansreiser]

Boris Babayan is a Russian chip architect who has never gotten the funding (tens of millions at least are needed these days) to adequately pursue a whole set of interesting ideas of his. He is the guy behind Elbrus, the interesting Russian CPU that never materializes because the money never happens.

Transmeta seems to be based on hiring one of his students, and implementing some version of Babayan's many ideas. Code morphing, protecting code from going out of bounds in hardware, these ideas are originally Babayan's. Maybe they should hire the master not the student, and then things might actually work. It is always sad when people don't realize the students are often not a good substitute for the original. It would be really nice to see Babayan get a shot at doing something in reality.

Of course, I say this without ever having met said student, and I am biased because I did meet Babayan and was personally impressed by him, so take this all with a grain of salt. Maybe I would be equally impressed by the student. Sure would be nice to see Babayan get a try at it though.

Efficeon IS AN amd64 emulator READ THE SPECS

If you remember the Efficeon is basically a 254bit CPU emulating an amd64 4x/clock (the older transmeta - crusoe - used to be a 128bit chip emulating a p6 4x/clock. It also will have the same built in memory controller, and will use nvidia nforce3 chipsets (that will bring the long awaited agp support to transmeta cpus).
This is not new news, old since it has been released that the new transmeta will emulate the amd64, and have memory controller on die, as well be pinn compatible with amd64 so it is kind of expected to do the other tricks as well...

Why Hardware Anti-Virus?

[tmillard]

If its as good as most BIOS's its trash.

Re:Motherboards! Please!

Duh, build an Althon64 system. Althon64 and Opteron already support NX. MicroATX boards are available... As Nike once told me, Just Do It.

This would certainly be a much better system than the crappy Efficeon could ever hope to be. All of Transmeta's stuff has had lackluster performance (worse than VIA's crap).

Sure.

[pb]

The new Efficeon isn't top-of-the-line by any standards, but it isn't dead yet either. Don't believe everything Van's Hardware says about Transmeta, or even about CPUs in general.

For example, he also fails to mention that the C3 does AES (and only AES) in hardware. He seems somewhat surprised at its AES performance in his (suspiciously chosen) AES benchmark, despite the fact that he works for them (Centaur)...

And we only had to wait 7 years

Back in 1997, Solar Designer released a kernel patch which marked the stack in linux as non-executable. However, the x86 processor did not allow individual pages to be marked as non-execute, which prevented marking non-stack
data segments as non-executable.

There were some problems with GCC's generation of executable code on the stack for (non-standard C) calls to nested functions. The workaround for
that weakened the security of the patch a bit.
And there may occassionally be valid reasons to write self-modifying code; hopefully, those can
be done in a special segment that doesn't have
its execute permission revoked by the loader.

http://www.openwall.com/linux/FAQ.shtml

Re:Data General & the obscure Motorola 88000-s

[nacturation]

Just goes to show that technological leadership is never any guarantee of marketplace leadership - x86 hardware is only now getting some of the features that Data General and Motorola were peddling [without much success] about fifteen years ago.

Completely unrelated to this is the fact that patents last only seventeen years. I'm sure it's a coincidence though.

DRM?

From what I've heard, only Windows uses this 'anti-virus' feature. What do you think the chances are that it's just yet more M$ DRM being snuck in at the hardware layer under the pretence of increased security?

Quick tutorial: code/data, buffer exploits, OS,MMU

[stienman]

Ok, the whole problem started with two decisions.

* Usage of a von Neumann architecture

* Storing call stack in buffer space

And it blossomed from there.

A von Neumann architecture keeps code and data in the same memory space. This means that the CPU can treat anything in memory as code or data - it doesn't care. Further, the software stack which stores temporary variables and return addresses (where to return when a function is complete) is also stored in this same memory area which can be executed. These two decisions provide great flexibility and power in memory management, but with great power comes great responsability.

So a buffer exploit happens like this:
A function is called.
The current address of program execution is stored on the stack.
Any variables the function uses are also stored on the stack after the return address.
Typically stacks grow down from the top of memory and code is stored at the bottom of the memory space.
Then function execution begins.

However, arrays stored in the stack grow upward.
If you store a return address, then put an array right after it of, say, 32 integers, then the 33rd integer is the return address of the code that should be executed when the function completes.
If you store code in the array, then change the return address (at location 33 in the array) to point to the bottom of the array you have your own little function running instead of what the program author intended. Obviously a program that prevents itself from writing outside its own array bounds does not suffer from this particular problem.

The CPU already has an MMU which tracks memory reads and writes into sections of memory called pages. The idea is that the OS can be called if the program accesses memory that is stored on disk, the OS can restore the memory, then it can return to the program. However the OS cannot tell whether the CPU is asking for paged memory because it wants to execute it or merely store/read data in it. Further, the OS may not called at all if the page is in memory since most page faults occur only when memory is on the disk.

The no execute bit is added to each page that the MMU manages. When a program needs more stack space it asks the OS for another page of memory, and the OS, knowing that it's data and not code, sets the NX bit. Then the CPU can report to the OS whenever the program jumps to an address inside the data area, trying to execute that memory as code.

This does NOT eliminate buffer overflows, but it can prevent code execution via overflows. Further, since the OS manages the program stack (for the most part, sometimes through libraries so a recompile may be necessary) then programmer interaction or changes are not needed to make individual programs work under this new system.

Lastly, most OSs prevent writing to code locations (ie, you have to jump through hoops as a programmer if you want your program to self modify its own code as in genetic programming) so by preventing writes to code locations, and preventing execution from data locations then you've eliminated every method that a person could cause the computer to run code that the programmer did not intend to run. This means that further exploits are due directly to the programmer adding code which, for instance, provides an interpreter in their own program (such as with VBScript, Perl, any interpreted language by itself or inside a program) or explicitly sets up an insecure area where code and data can mix and be executed.

-Adam

Scheme

This wouldn't work w/ a language like scheme. Procedures are frequently created and/or modified at runtime.

Re:Scheme

[cbiffle]

Or, a more mainstream example: one of the main problems with W^X or NX arrangements of late has been Java JIT compilers.

After all, the entire point of a (fast) Java implementation is that it's periodically rewriting its code based on profiling data. That's awfully hard for the hardware to distinguish from a good ol' buffer overflow.

Re:Scheme

Scheme uses byte-code, so it has nothing with processor. And, after all, it's safe agains buffer overlows :)

Vadim

Re:Scheme

That depends on the implementation. Unfortunately most Scheme implementations are interpreted, but at least Chez Scheme follows the tradition of dynamically compiled lisp implementations, where every function definition results in new machine code being compiled to newly allocated memory. These code vectors are handled by the garbage collector like any other data structure, soyou would basically have to rewrite the garbage collector to keep code vectors in a separate executable memory pool, or disable the NX bit completely.

how would you recover from this...

if you get an overflow on nx page, and the system response is to kill that process, what does that mean for your application? does this mean you should be writing seperate processes for any potentially vulnerable parts of the application so the whole thing doesn't crash? what about in a server situation and your app gets showered with the exploits, dumping all your processes before they can do anything useful?

if the overflow on the nx page DOESN'T kill the process then you need to have some exception code to get the process back to a useable state, which is sizeable itself, if a bunch of processes are doing this all at once...

and how about single process applications? does this mean you can't use non-blocking io any more becasue one exploit will bring it down?

ok, so it is failfast, which can prevent some one running malicious code, but it doesn't give you instant perfect code.

problem: our software is flawed
solution: throw some hardware at it

Re:how would you recover from this...

[vadim_t]

The application should simply crash, and stop executing completely. Alternatively, you could get it restarted from the beginning.

Think of it, your program segfaulted because somehow the CPU tried to execute something that was marked as "don't execute". How do you recover from that? It should be pretty clear that either it's a bug, or an exploit, and in both cases it makes little sense to recover since there's no guarantee that you can get the program back to a good state.

The solution to make stable programs is to write them in some language that's not exploitable. If you can't overflow a buffer, or somehow force the program to try to execute something you want, then this mechanism will not be used, and your program remain running.

Those are viruses, they are trojan horses

[xswl0931]

Viruses require a process host, vbscripts, exe, etc.. run in their own process. They are trojans as they pretend to be something else to entice people to execute them. I don't know why it's so hard for people to get the terminology correct.

JIT

[tepples]

I suppose (and this is 100% hypothetical) that there might be very rare situations where the programmer will need to be able to override

Have you run a Java applet in the last week? If so, you've needed to override it. Just-in-time recompilers such as those for the Java and .NET platforms use self-modifying code by necessity.

Re:JIT

[CTachyon]

It's called mprotect(2). The program that wants to turn data into code just asks the OS nicely.

Unfortunately, I can think of at least one exploit for a no-exec stack. The attacker overflows a buffer with his exploit code, tacking on the following stack:

(top of stack)
(local variables allocated after the buffer)
cc cc cc cc cc cc ... - Exploit code overwriting local variables
xx xx xx xx - Return address for exploited function (start of mprotect(2) in libc)
xx xx xx xx - Return for mprotect(2) call (start of exploit)
xx xx xx xx - <i>addr</i> parameter (start of stack)
xx xx xx xx - <i>len</i> parameter (size of stack)
07 00 00 00 - <i>prot</i> parameter (R+W+X)

Re:Motherboards! Please!

[steveha]

Duh, build an Althon64 system.

Did you see the part where I said I wanted it to be silent? As in, passive heatsink only? Athlon64 need not apply.

That said, my next desktop computer will be an Athlon64, because I can make it pretty quiet and it will run Doom III pretty well. I'd just like to have another computer that's silent, and use that for email and such. Then I can power down the Athlon64 when I'm in the mood for total silence (and not playing Doom III).

By the way, you say "VIA's crap" but I really love my tiny, quiet little Mini-ITX servers with VIA C3 chips. Great for email servers, file servers, etc.

Not every computer needs to run Doom III.
steveha

Finally...

[rdean400]

High-end systems like the IBM AS/400..err, iSeri..err, i5 have had no execute protection for decades. If it's not tagged as a program, it's not executable.

Re:Motherboards! Please!

Underclock the Athlon, run a huge heatsink, run a quiet fan at a low voltage. Almost no sound; certainly much quieter than any hard-drive I've been able to find (Seagate Barracuda being the quietest).

A completely passive system doesn't buy you anything if you run a hard-drive.

Re:Data General & the obscure Motorola 88000-s

[ksheff]

The Dept of Interior got a deal of some sort on those around '90 and they could buy them like candy. They were good, solid machines. A lot of the standard Unix programs on them were actually from the GNU project.

You're still missing the point

[achurch]

Code segments are already read-only (unless you're doing self-modifying code, which is a separate issue entirely). The problem is that data segments, which must be writable for obvious reasons, can't be marked non-executable. At least, I don't see anything in the document you linked to saying code in data segments can't be executed, and I suspect if it was possible to prevent execution then someone would have done it long ago.

Incidentally, at least some common compilers (GCC, for instance--I just checked) scatter constants throughout the code segment, so there's no such thing as a "constants pool". You need read access to the code segment, period.

Re:Quick tutorial: code/data, buffer exploits, OS,

Ok, the whole problem started with two decisions.

* Usage of a von Neumann architecture

* Storing call stack in buffer space

And it blossomed from there.

Which is very similar to how the US phone system used to work. Originally, calls were routed using "in-band" information. Basically, a series of tones that the switches would spit onto the voice circuit to tell the next switch down the line the who/what/where to send the call.

Needless to say, easily exploited by the phone phreakers of the day.

So the phone system was redesigned to put all control communications "out-of-band", making phreaking not possible because the voice circuit was no longer listened to for control signals.

Fast-forward 30 years and we find that the computer folks weren't paying attention to that particular lesson.

Wow!

[steveha]

Wow -- that was my first post ever to be modded down to -1. And I wasn't even trying!

That will sure teach me to talk about Efficeon motherboards when the topic is Efficeon chips. I have learned my lesson. I am a changed man.

steveha

Re:Wow!

Read the subject of the thread. OK, you're too lazy (or maybe too dense?), here:

"Transmeta To Add 'NX' Antivirus Feature To Chips"

Re:Motherboards! Please!

[steveha]

Load in a gigabyte of RAM, and set up a network boot from one of my VIA C3 servers. No hard drive. It would work just fine for email and web browsing, and playing tunes and DVDs.

steveha

NOPs take up time & space

NOPs take up time and space.

Used to fill address space or occupy processor time until an interrupt.

This in important to timing issues and content of nonexistant memory issues (the interpretation of all ones or all zeros plays a part in the second issue.)

A NOP that literally did nothing - was skipped - would be useless as an assembly instruction.

Change the ISA encoding. Random ISA codings.

[hedley]

Imagine a Transmeta style firm that can on the fly create microcode for the CPU. You select a random# on microcode creation. Your GNU toolchain then retargets gas to the coding on the ISA. (lets say its x86 permuted in a random way). Now since gas (and binutils) now know the codings a kernel can be built. The kernel, the webserver, RPC statd, whatever are all built using the custom toolchain. Now inject a Linux x86 worm and voila General Protection Fault.

Good luck creating a worm for a "custom" arch.

Hedley

OpenBSD

I'm sure the OpenBSD people are going to like this chip.

Re:Quick tutorial: code/data, buffer exploits, OS,

I'd mod you uninsightful if I could.

These two decisions provide great flexibility and power in memory management, but with great power comes great responsability.

Using in-band dial tones doesn't have any advantage aside from simplicity. Von Neumann architecture is as simple/complex as any other, it's the side effects we are interested in... So why should we follow suit?

I see a small problem.

[gd2shoe]

From what I read here, this seems likely to be a good security feature. But tell me, what would happen if a cracker/virus/otherBadStuff were to exploit a bug and set NX on a part of the kernel. Something to watch for.

Re:Motherboards! Please!

[eggsome]

And as long as I'm dreaming, I'd love a 2-way or 4-way Efficeon SMP motherboard. It would always be snappy and responsive, would have plenty of power for my day-to-day tasks, and could still be really quiet or (I hope) totally silent.

You've just described my dream workstation! I wish it made economic sense to produce a product like that...

Re:Data General & the obscure Motorola 88000-s

Also worth noting is that 68k Motorola MMUs - 68851, 68030+ internal - can have separate address- and codespace. It's completely possible to configure them so that stack (used for local variables) behaves normally when used for it's intended purpose, but causes exception when someone tries to execute it as code.

It's a marketing

What? Transmeta is a modern processor.. it didn't support marking pages as non-executable? Can't believe it.

Actually NX-feature is not new. Sparc, Motorola etc had it for ages. Even x86 allows to mark "segments" as non-executables (famous Linux patch uses it to prevent most buffer overflows). The problem was that i386 didn't allow to mark _individual_ page as non-executable (NX), only a segment.

Think about it as a bug fixed.
All the rest is just a marketing.

And, of course, it will not stop your favourite email worm :)

Vadim.

Re:It's a marketing

[moro_666]

agreed, i'm sure transmeta is actually doing what
they should have done ages ago. but it's a good effort
anyway :)

besides it won't help the wind0ws users much, i'm sure their
bloody mailclient outlook will find a workaround how to
execute whatever wherever without asking about executing it
from whomever.

[installing pine would be much cheaper i think]

Why NX doesn't solve the buffer overflow problem

[fingerfucker]

OK, so now you will have that every buffer overflow problem that a virus could exploit to insert custom machien code will be stopped before it can happen.

Instead, whenever a buffer overflow exploit is attempted, the regular process/thread/control flow will be interrupted to "protect" the data area from running the code. In essence, the OS in collaboration with hardware will deny the process an opportunity to execute further, thus transforming every "code insertion through buffer overflow" into a "denial of service" attack.

Re:Transmeta hired Babayan's student instead of hi

Wow, news spread fast. I know the guy you're talking about personally (I work at Elbrus) so I wanted to add some corrections. Transmeta is not based on hiring him. There is a difference between Transmeta and Elbrus, you can know the path (Elbrus) and you can walk the path (Transmeta). It's a big difference. Transmeta is already on the path and has made a long way so it has way more expertise than Elbrus. That guy is just adding more knowledge, it's not that his is an exclusive source of Transmeta growth.

Besides (pardon my non-native english) the word student sounds strange. He is not very young and he's not studying. He was rather gathering all knowledge and ideas by working with bright people. I'd say he was a high profile worker here.

go Harvard go!

[LittleBigLui]

go Harvard go! Take that, von Neumann!

Does Linux support it ? where ? I don't see it ?

I have seen some software implementations of this available as kernel patches, but I haven't seen it in the linux kernel.

OpenBSD supports it on systems that support NX.

Solaris should, but I cannot guarentee it.

XPSP2 does, but not on intel chips.

they only really use it for the stack

The stack is where buffer overflows occur, and you don't run code from the stack normally. So the OS just marks the entire stack no execute and that is your protection.

It works very well, but of course it isn't quite foolproof.

So don

[ZigMonty]

Or, a more mainstream example: one of the main problems with W^X or NX arrangements of late has been Java JIT compilers.

After all, the entire point of a (fast) Java implementation is that it's periodically rewriting its code based on profiling data. That's awfully hard for the hardware to distinguish from a good ol' buffer overflow.

This isn't the problem it first appears. All you have to do is generate the JIT'ed code into a region of memory not marked NX. It should only be a minor addition (if needed at all) to whatever code allocates the memory for JIT'ed code, like using mmap with the PROT_EXEC flag set.

Re:Why NX doesn't solve the buffer overflow proble

[ZigMonty]

Umm... denial of service is *much* better than executing malicious code. No, it won't stop buffer overflows. If the code is broken, there's no easy way to fix it in hardware. At least this thing will kill the process before you get 0wn3d.

Re:Quick tutorial: code/data, buffer exploits, OS,

Great comment, just a little nitpick:

by preventing writes to code locations, and preventing execution from data locations then you've eliminated every method that a person could cause the computer to run code that the programmer did not intend to run.

This is not _entirely_ true actually. Technically, since you usually know the software that's being exploited, you could find a piece of code (anywhere in the code segment) that you could 'abuse'.

In other words, with NX, you can still return to an arbitrary point in the code segment. So you find a piece of code that when called (possibly using a different than intended context) provides functionality you desire. Voila. It may proof very hard to find 'usable' code, I'm sure the NX feature will bring that to light soon enough (or hopefully not). ;-)

One solution to this is dynamic code relocation. In other words, shuffle code around within the code segment so that a malicous coder can't guess the location of a piece of code (s)he could potentially use.

The BEST solution is to have a seperate call and data stack. The call stack could in theory be entirely read/write protected from the process. Of course this is a feature of the CPU and the x86 just doesn't have that feature. Well, that's not entirely true either, the x86 does allow you to have a seperate call and data stack. You couldn't write protect the call stack, but you could make it so buffer overflows can't access the call stack. This could actually be implemented by a compiler change, I think. Gotta think about that some more...

However, with all this, it would STILL allow for people to manipulate the behaviour of the program by adjusting variables (through buffer overruns).

Bottom line though, combine all possible solutions (NX support, use buffer overflow checking libraries in C(++) programs at least durring development, use a language that protects against buffer overflows in cases where it makes sense, etc...) and you have made it a LOT harder to compromise a system.

Then again, it indeed won't protect against people running an executable inside a ZIP which arrives as an attachement from a stranger...

For those of you who didn't RTFA...

[Ingolfke]

From the article:

The NX technology is a Internet standards based technology solution that enables the complete elimination of any malicious code sent via network communications. By leveraging RFC 3514, Transmeta's NX technology identifies any packet flagged with an "evil bit" and refuses to execute it.

I've been waiting for this.

Oh, please

[ajs318]

This thing is snake oil. No, really. Every penny being spent on it is a penny wasted.

The ultimate example of built-in "No eXecute" would be a Harvard architecture machine (e.g. PIC series), where the executable instructions and non-executable data are placed in electrically separate memory.

But such a machine can still make a decision based upon the contents of a non-executable memory location -- otherwise a Harvard architecture machine would never be able to emulate a Neumann architecture machine (ever played old ZX Spectrum games on a mobile telephone?) And the consequences of that decision might affect the contents of executable memory locations, otherwise you could never load any software into executable memory.

You can effectively disable the NX functionality by running a little "emulator" to read non-executable memory and treat its contents as instructions. If you were really, really evil, you'd just set it as the default exception handler for attempted execution of NX'ed code and forget the rest. Getting the emulator into place in the first place is just a matter of persuading a clueless user to let you do it {e.g. by disguising it as a kewl new game, or pr0n, or a utility to block adverts / fill in passwords / do single-click web searches / download free music files / share your contact information with friends, &c}. My inbox is a testament to the fact that some people will click on anything.

Furthermore, once a "hardware solution" is in place, programmers will invariably get sloppy, assuming it will actually work, expecting it to do their job for them, &c.

Re:I did RTFA - self modifying code

[niteware]

I been writing self-mod'ing code for almost two decades and yes it is sometimes user controled thru a process diagramming interface, but mainly it is self-optimizing code. I understand the need for NX but sure wish it was a tri-state flag.

Re:Motherboards! Please!

But what's the point of having an NX capable machine? You aren't really using that machine for anything other than an appliance. Which is fine, but having the NX stuff isn't necessary for that.

We're talking NX systems here.

NX doesn't help anymore with interpreted code

[hoggoth]

NX is a great idea for compiled binary code. It doesn't help with interpreted code, though. The interpreter runs in eXecutable memory, the code it interpretes can be in NX memory. Some examples of interpreted code are: Java bytecode, DOT NET MSIL code, any interpreted languages like Perl, TCL, Python, Ruby.

Re:I did RTFA - self modifying code

[Scorchio]

That's a good point. However, I don't see anything saying that executable memory (ie. not marked NX) is not writable. So, you can't execute data, but you can write data to executable memory. Is this right?

OT: your current .sig

[hummassa]

/earth is 98% full. move everyone you can to /luna or /mars

Re:OT: your current .sig

[hesiod]

> /earth is 98% full. move everyone you can to /luna or /mars

If it's only 98% full, the other 2% must be a vacuum. I wonder why the vacuum "bubble" has not collapsed on itself. Or maybe that's what earthquakes are...

Re:Motherboards! Please!

[steveha]

I think the NX is a good idea, and I'd like it on all my computers. But the specific reason I want Efficeon chips is so they can run with just a heatsink, for the quietness.

steveha

Re:I did RTFA - self modifying code

[IWannaBeAnAC]

hmm, there are enough hoops you need to jump through to write self-modifying code on a modern CPU that I would expect that adding NX into the mix only adds a small additional complexity.

What CPU/OS combination do you use?

Re:Why NX doesn't solve the buffer overflow proble

[fingerfucker]

If the application is not available, there no business is done. If no business is done, no money is made (="no value is created", whichever way you prefer). If no money is made, I die of starvation or switch to caveman-style living, picking berries in the woods.

It's a good step, at least you don't get 'owned', but the hype is created and the propaganda that is being spread around deceitfully suggests that NX is a magic bullet...

Re:I did RTFA - self modifying code

[Frizzle+Fry]

Yes, that's right. Anything that doesn't have the NX flag set works just like memory does today on a system wher the NX flag doesn't exist. Having the flag off doesn't make the memory special "executable memory" that isn't allowed to contain data, it just means that the no-execute restriction doesn't apply.

Re:I did RTFA - self modifying code

[niteware]

Mainly WinTel32 now (no flames please), but of course Linux also. Started doing limited stufff on a PDP8, then a Vic20, but the C=64 was the the most fun (graphic routines mainly on that, anyone that knows both 'published' games gets a NOS copy of them!). But been there on 'old style' HPUX and IRIX (my favorite). Its a pain in the ass anymore and is easier to license and include a compiler, do 'on the fly' code generation, C,L,L the new library and drop the old one (This is the only practical way for WinTel64).

Best sig of the month...

[Hanzie]

--Finish your beer. There are sober people in China.

Just be aware that you're now responsible for Chineese people going without Diet Coke, as my last mouthfull (well, nosefull) hit my monitor, shirt and keyboard.

Re:Motherboards! Please!

And you wonder why you got an offtopic moderation?!

Re:Motherboards! Please!

[steveha]

This is Slashdot. All sorts of somewhat-related topics get posts, and often get moderated up. For example, on a discussion of privacy issues in the wilderness, a side thread about joining a search & rescue team wasn't exactly on-topic, but was moderated up rather than down.

As another example, your comment isn't about NX either, but you felt free to make it. And I doubt a moderator would be sufficiently offended by it to moderate it off-topic, even if any moderators were paying attention to this topic anymore.

If Slashdot was intended to be narrowly moderated, there would be more topics, and there probably wouldn't be a "funny" moderation (because jokes are really pretty off-topic most of the time).

I wouldn't have been surprised much to be moderated down, but I was surprised to be moderated all the way down to -1. And I guess I failed, but I was trying to be funny in a sort of sarcastic way. (Tip for any moderators reading this: if you want to go back and mod down my attempt at humor, I sugget you use "overrated" since there isn't a "not funny".)

steveha

Re:Motherboards! Please!

New here, huh? Buy that account on Ebay? OK, I get it...

Re:Motherboards! Please!

[steveha]

-1, Overrated.