Slashdot Mirror
Transmeta To Add 'NX' Antivirus Feature To Chips
Autoversicherung writes points to a ZDNet story which says that "Transmeta will support "No Execute," or NX, in their next core revision.
Transmeta will provide advance versions of Efficeon-based systems with NX support to Microsoft for testing. Hope Linus get a few too, even if he's no longer working there.
The NX-equipped Efficeon chips are due for general release later this year."
If they call it the "NX-01", I'm gonna shoot somebody.
Javascript + Nintendo DSi = DSiCade
can someone please explain why NX is important (and how it is differnt from NOP), and why it was not there earlier? Thanks
"When the only tool you own is a hammer, every problem begins to resemble a nail." - Abraham Maslow (1908-1970)
So how do you turn on this feature? I'd love for "No Execute" to protect me from accidentally running Windows if I choose the wrong option in my dual-boot setup. Will NX be supported by Grub/Lilo?
The NX bit is not an 'antivirus' feature.
Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!?
Why implement this at the hardware level, besides "making windows more secure"?
cheers.
``If a program can't rewrite its own code, what good is it?'' - Mel
and it said it's supposed to prevent buffer overflows, and that some are being provided to MSFT for testing ... but WTF is NX, and HTF does it work?
Ok, maybe I don't get this. How is this different from marking a block of memory as data, not code? The real problem is that certain OSes mark all memory as both code and data. Sure, it's easier on the bookkeeping, but it allows buffer overflows. If data was kept in data segments, and code was kept in code segment, the worst that would happen is a corrupted data segment, and/or a General Protection Fault.
Javascript + Nintendo DSi = DSiCade
Because, VBScript viruses come as source-code, and the script engine reads it and executes the functions that the commands want.
.exe attachments, I bet they will still work when the hapless user double-clicks on them.
Or
Or ActiveX holes.. well this would be harder to exploit with the NX feature..
What time is it/will be over there? Check with my iPhone app!
Just so we're clear here... NX isn't any sort of DRM technology.
It's a pretty smart idea, moving the core concept of "file permissions" into the RAM addressing space. Simply put, if the chip has been told that a certain area of memory has been marked "No eXecute", and then the execution point somehow gets there, an error event is raised to the operating system and that process is killed.
Basically, it's an unreliable but better-than-nothing safety backstop behind unchecked buffers. If somebody manages to exploit a buffer overflow, there's a semi-random chance that the virus code might just crash into being allocated into another area marked NX, and when the execution point gets there the underlying application starts to crash.
Of course, any memory space intended for data and not code should be marked NX... are people going to be smart enough to actually do that when on hardward that supports it? Let's hope so... it'll at least limit the spread of worms.
Yes, I RTFA, but can this be used as a DRM measure? If a piece of software is unsigned (as determined by the OS), the processor can be instructed to not execute. Someone smarter than me explain this.
--sig fault--
Just like Intel developed and implemented the Centrino spec which surrounds and supports the low-power Pentium M in order to compete in the wireless/ultraportable arena with products incorporating the Crusoe and the Efficieon, you can expect they'll have something up their sleeves with regards to this. I mean, it's not like they're just sittin' alone in their parents' basement watching Buffy reruns, and spanking it to naked Portman pictures.
The theory of relativity doesn't work right in Arkansas.
I know you were attempting a joke. But to bring it back on topic:n ol/winxp pro/maintain/sp2chngs.mspx
http://www.microsoft.com/technet/prodtech
How exactly is this an anti-virus feature? Anti-buffer-overflow, yes. Anti-worm... well, maybe, but it'd be a bit of a stretch (anti-worm-based-on-buffer-overflow rather). Anti-virus? Hell no.
I just love tech journalism...
I hope they consider sending one to the OpenBSD project -- considering OpenBSD has been sort of a pioneer in this kind of buffer-overflow protection (the first and only OS so far to include it by default, and have done so for about 1.5 years now).
It would seem like a logical (and swell) thing for Transmeta to do
Doesn't OpenBSD already provide this functionality, on existing i386 processors?
The "no execute" function is a subset of a call from a governor.
doesn't this required the software to be rewritten to use it? I think it would make much more sense if NX were replaced with something in the os that didn't automatically allow software to be installed by clicking "OK" on some web page. Even though it's annoying to have to type in the root password constantly in Linux, it's a hell of a lot easier than reformatting and reinstalling as I've done for too many people. Even if the computer is operated by one user, this requirement of the root password still makes them more aware that something is about to modify their system. Those activeX dialog boxes in IE make it seem like gator is a new and exciting feature and that's why people install it so much.
Transmeta To Add 'NX' Antivirus Feature To Forthcoming Chips?
...
Is it me or does this sound like a tremendous failure on the part of operating system vendors, in that this has to be implemented in hardware?
Im sure its more secure but hell, I think this could in the end lead to more complacency in software design. "No need to bother writing secure code cus new chips will have NX technology?" I personally dont even think this will be enough when it comes to the track record of Microsoft anyway.
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
It won't. So long as the user insists on granting run permission to something they shouldn't run, it's gonna run.
This only works when the problem is when something is trying to apply the buffer exploit way of taking over the execution point.
Still... just because it doesn't cure cancer is no reason to throw out a cure for the common cold.
Granted, I haven't really paid much attention or done any research on this no-execute flag, but it seems to operate within the data structures of a program such that you can flag a structure, memory block or references to it as non-executable.
If that's the case they how effective can this really be at stopping buffer overflow attacks, we still need to rely on the programmers to tag every data structure as non executable (and that isn't easy). We're talking about the same programmers who don't validate input data or put limits on it.
So basically, fixing a human problem in hardware is no solution. no?
Or is it that by default, nothing is executable unless you specifically tag it to be, so that the system by default won't run anything it loads?
Article X: The powers not delegated... by the Constitution...are reserved...to the people
I wonder why Intel is unable to use this functionality in conjunction with the current version of Windows to prevent introducing executable code via stack overflows?
Best Buy can have you arrested
http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2chngs.mspx
Forget the whales - save the babies.
nx is a flag on a page (or block) of memory that indicates to the processor that i shouldn't be executed (page address not loaded into the ip?)
i can see that this would help catch some programming errors in a similar fashion to marking page 0 as read only (this catches all the bad offset references and unassigned pointer references). of course this would only really work if your compiler marked memory nx in a proper fashion.
i can see how this might help prevent buffer overflow attacks (worms), except that code should be marked read-only anyway... i'm kinda iffy on this.
but how in the world is this going to do anything to prevent a viral attack?
eric
Hmm I may be totally wrong here, but ain't this NO EXECUTE thing a responsibility of the operating system?!? Why implement this at the hardware level, besides "making windows more secure"?
Everyone and his brother has heard of the old Motorola 68000 series [it powered the old Macs, and Jobs used the 68040 to power his NeXTSTATIONs and NeXTCUBEs], but Motorola had a very obscure successor to the 68000-series, called the 88000-series, which had a non-von Neumannian Harvard architecture, i.e. it separated the machine code and the data code into two separate physical locations.
Data General built some old multi-processing AViiONs on 88000-series hardware in the late eighties/early nineties time frame; every so often you'll see one for sale on eBay.
Just goes to show that technological leadership is never any guarantee of marketplace leadership - x86 hardware is only now getting some of the features that Data General and Motorola were peddling [without much success] about fifteen years ago.
PS: A number of the guys at Data General who had worked on the gcc 88000-series port ended up over at Red Hat & Cygwin.
Man, these chips are gonna fly...till the bottle runs empty. Oh, wait, I should go read first.
As I understand it, the IA-32 architecture does not support NX. I don't think you could just tack it on as an afterthought and have it work.
There are some kernel patches such as grsecurity which do emulate this functionality in the kernel, but that brings performance down.
Can I get an eye poke?
Dog House Forum
It isn't true to say W^X is weaker -- only the i386 (and PPC) versions are *weaker* because the chip doesn't have the ability to protect individual pages. On architectures with this feature, OpenBSD takes full advantage.
Boris Babayan is a Russian chip architect who has never gotten the funding (tens of millions at least are needed these days) to adequately pursue a whole set of interesting ideas of his. He is the guy behind Elbrus, the interesting Russian CPU that never materializes because the money never happens.
Transmeta seems to be based on hiring one of his students, and implementing some version of Babayan's many ideas. Code morphing, protecting code from going out of bounds in hardware, these ideas are originally Babayan's. Maybe they should hire the master not the student, and then things might actually work. It is always sad when people don't realize the students are often not a good substitute for the original. It would be really nice to see Babayan get a shot at doing something in reality.
Of course, I say this without ever having met said student, and I am biased because I did meet Babayan and was personally impressed by him, so take this all with a grain of salt. Maybe I would be equally impressed by the student. Sure would be nice to see Babayan get a try at it though.
The new Efficeon isn't top-of-the-line by any standards, but it isn't dead yet either. Don't believe everything Van's Hardware says about Transmeta, or even about CPUs in general.
For example, he also fails to mention that the C3 does AES (and only AES) in hardware. He seems somewhat surprised at its AES performance in his (suspiciously chosen) AES benchmark, despite the fact that he works for them (Centaur)...
pb Reply or e-mail; don't vaguely moderate.
Back in 1997, Solar Designer released a kernel patch which marked the stack in linux as non-executable. However, the x86 processor did not allow individual pages to be marked as non-execute, which prevented marking non-stack
data segments as non-executable.
There were some problems with GCC's generation of executable code on the stack for (non-standard C) calls to nested functions. The workaround for
that weakened the security of the patch a bit.
And there may occassionally be valid reasons to write self-modifying code; hopefully, those can
be done in a special segment that doesn't have
its execute permission revoked by the loader.
http://www.openwall.com/linux/FAQ.shtml
Just goes to show that technological leadership is never any guarantee of marketplace leadership - x86 hardware is only now getting some of the features that Data General and Motorola were peddling [without much success] about fifteen years ago.
Completely unrelated to this is the fact that patents last only seventeen years. I'm sure it's a coincidence though.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Ok, the whole problem started with two decisions.
* Usage of a von Neumann architecture
* Storing call stack in buffer space
And it blossomed from there.
A von Neumann architecture keeps code and data in the same memory space. This means that the CPU can treat anything in memory as code or data - it doesn't care. Further, the software stack which stores temporary variables and return addresses (where to return when a function is complete) is also stored in this same memory area which can be executed. These two decisions provide great flexibility and power in memory management, but with great power comes great responsability.
So a buffer exploit happens like this:
A function is called.
The current address of program execution is stored on the stack.
Any variables the function uses are also stored on the stack after the return address.
Typically stacks grow down from the top of memory and code is stored at the bottom of the memory space.
Then function execution begins.
However, arrays stored in the stack grow upward.
If you store a return address, then put an array right after it of, say, 32 integers, then the 33rd integer is the return address of the code that should be executed when the function completes.
If you store code in the array, then change the return address (at location 33 in the array) to point to the bottom of the array you have your own little function running instead of what the program author intended. Obviously a program that prevents itself from writing outside its own array bounds does not suffer from this particular problem.
The CPU already has an MMU which tracks memory reads and writes into sections of memory called pages. The idea is that the OS can be called if the program accesses memory that is stored on disk, the OS can restore the memory, then it can return to the program. However the OS cannot tell whether the CPU is asking for paged memory because it wants to execute it or merely store/read data in it. Further, the OS may not called at all if the page is in memory since most page faults occur only when memory is on the disk.
The no execute bit is added to each page that the MMU manages. When a program needs more stack space it asks the OS for another page of memory, and the OS, knowing that it's data and not code, sets the NX bit. Then the CPU can report to the OS whenever the program jumps to an address inside the data area, trying to execute that memory as code.
This does NOT eliminate buffer overflows, but it can prevent code execution via overflows. Further, since the OS manages the program stack (for the most part, sometimes through libraries so a recompile may be necessary) then programmer interaction or changes are not needed to make individual programs work under this new system.
Lastly, most OSs prevent writing to code locations (ie, you have to jump through hoops as a programmer if you want your program to self modify its own code as in genetic programming) so by preventing writes to code locations, and preventing execution from data locations then you've eliminated every method that a person could cause the computer to run code that the programmer did not intend to run. This means that further exploits are due directly to the programmer adding code which, for instance, provides an interpreter in their own program (such as with VBScript, Perl, any interpreted language by itself or inside a program) or explicitly sets up an insecure area where code and data can mix and be executed.
-Adam
Duh, build an Althon64 system.
Did you see the part where I said I wanted it to be silent? As in, passive heatsink only? Athlon64 need not apply.
That said, my next desktop computer will be an Athlon64, because I can make it pretty quiet and it will run Doom III pretty well. I'd just like to have another computer that's silent, and use that for email and such. Then I can power down the Athlon64 when I'm in the mood for total silence (and not playing Doom III).
By the way, you say "VIA's crap" but I really love my tiny, quiet little Mini-ITX servers with VIA C3 chips. Great for email servers, file servers, etc.
Not every computer needs to run Doom III.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
High-end systems like the IBM AS/400..err, iSeri..err, i5 have had no execute protection for decades. If it's not tagged as a program, it's not executable.
Actually, it's per page, not per segment. Segments had an exec flag from 32bit day one and this was the card Intel hoped people would play[*]; they were mostly wrong though, the segment-level protection did not get used so much.
[*] there are several such examples of stuff in the hardware that never got used on x86 - full use of privilege level granularity comes to mind; afair one of the reasons invoked against all these goodies Intel came with was portability.
Imagine a Transmeta style firm that can on the fly create microcode for the CPU. You select a random# on microcode creation. Your GNU toolchain then retargets gas to the coding on the ISA. (lets say its x86 permuted in a random way). Now since gas (and binutils) now know the codings a kernel can be built. The kernel, the webserver, RPC statd, whatever are all built using the custom toolchain. Now inject a Linux x86 worm and voila General Protection Fault.
Good luck creating a worm for a "custom" arch.
Hedley
Or, a more mainstream example: one of the main problems with W^X or NX arrangements of late has been Java JIT compilers.
After all, the entire point of a (fast) Java implementation is that it's periodically rewriting its code based on profiling data. That's awfully hard for the hardware to distinguish from a good ol' buffer overflow.
Scheme uses byte-code, so it has nothing with processor. And, after all, it's safe agains buffer overlows :)
Vadim
After all, the entire point of a (fast) Java implementation is that it's periodically rewriting its code based on profiling data. That's awfully hard for the hardware to distinguish from a good ol' buffer overflow.
This isn't the problem it first appears. All you have to do is generate the JIT'ed code into a region of memory not marked NX. It should only be a minor addition (if needed at all) to whatever code allocates the memory for JIT'ed code, like using mmap with the PROT_EXEC flag set.