Red Hat Introduces NX Software Support For Linux

abertoll writes "In this story at ZDnet, Red Hat has apparently added NX support to Linux. NX security technology is a hardware attempt at stopping malicious code." (We recently posted about Transmeta's announcement that its chips will incorporate the NX bit as well.)

Difference between NX and protected mode bits?

[PiGuy]

What I fail to understand is the difference between this 'no execute' bit and the 'executable' bit in standard 386 protected mode. Does the 'executable' bit not cause an exception if the PC proceeds to pages without it set? Even then, protected mode also has a 'read-only' bit - isn't this set for code pages? And if not, why not?

Re:Difference between NX and protected mode bits?

[Isomer]

the i386 has no hardware support for an "execute" bit. It just has a read bit and a write bit. If you have read access to a page then you can execute that code. The "NX" bit is the implementation of the "execute" bit, except when it's /set/ it prevents execution as opposed to the expected reverse, which is why it's called "NX" not "X" :)

Re:Difference between NX and protected mode bits?

There's absolutely no thing as the execute bit in 386. It's a feature lacking that most other VM-enabled CPUS have by default.

The 386 architecture has one bit for access: a 0 (read and execute) or 1 (read/write/execute). It is then that read implies execute, and write implies read.

Re:Difference between NX and protected mode bits?

[the_greywolf]

the bits you're referring to are the execute permission for segment descriptors.

the NX bit operates at page level - within segments. it is bit 63 of the Page-Translation-Table entry, and is only available in PAE mode. it is enabled by the NXE bit of the EFER ("Extended Feature Enable Register"). and it applies to all execution rings.

Re:Difference between NX and protected mode bits?

[tepples]

There's absolutely no thing as the execute bit in 386

There is, but it works on segments and not pages. Unfortunately, some i386 operating systems' ABIs are defined such that CS = DS.

The 386 architecture has one bit for access:

Your one-bit write protection applies to pages.

Re:Difference between NX and protected mode bits?

[dealsites]

This is just an attempt by the hardware developers to patch problems made by the software developers. Ultimately in the end, we will lose performance because they are adding overhead to general processing. The software developers (or companies) should be held responsible. It's no different than trying to patch a patch a patch, etc...

This is why linux is so efficient; bugs are corrected in the kernel and recompiled for the new releases. It's a much better solution that adding code bloat or processor overhead to solve these types of issues.

--
Smack your momma good deals!: http://www.dealsites.net/livedeals.html

Re:Difference between NX and protected mode bits?

[AKAImBatman]

People, do yourselves a favor and read the Intel specs. Please? There is in fact, a bit for defining code segments. These code segments can be marked as read only or execute only. The problem (as I managed to wrangle out of people the LAST time this thing was posted) is that a data block can also be executed without exception. The NX flag merely prevents data blocks from ever executing code.

Re:Difference between NX and protected mode bits?

[AdamInParadise]

I beg to differ.

All modern architectures implement all 3 different protections bits (read, write, execute). It should have been implemented a long, long time ago, and you definitely cannot emulate it perfectly in software.
I don't known why it wasn't implemented from the begining or at least when the 386 was released, but it was sorely missed by everyone working on improving the security of an OS. I guess Intel didn't think that this architecture would survive in the 21th century.

So adding the NX is a long overdue fix which should really improve the security of PCs, if it is used correctly by the OS.

Regards,
David

Re:Difference between NX and protected mode bits?

[astroboscope]

Ultimately in the end, we will lose performance because they are adding overhead to general processing.

Point taken, but if NX cuts down on the worm/virus/virus notice email we get because of infected Windoze systems, it'll be a performance boost for us UNIX users.

Re:Difference between NX and protected mode bits?

[awkScooby]

People, do yourselves a favor and read the Intel specs. Please? There is in fact, a bit for defining code segments.

Linux, Windows, BSD, etc. don't use segments, but instead use paging. Intel has dragged their feet on adding NX support because the feature "already exists", but the reality is that hardly anyone uses segments.

Ok, technically everyone uses segments -- they just create a single segment which covers all of the memory space. The GDT (Global Descriptor Table) must be configured when you switch to protected mode. Paging is optional.

The NX flag prevents a page (typically 4k) from executing. By marking all stack pages as NX, buffer overflow attacks won't be able to remotely execute arbitrary code. I assume that an exception will be generated when an attempt is made to execute from an NX page, which will probably cause the running program to halt. So, remote explots turn into DOS attacks.

Buffer overflow attacks have been known about for decades, and solutions such as NX have been known for quite some time too. As has been mentioned elsewhere on /., this does not remove the responsibility of developers to write good, secure code. But, as history has shown, they will probably continue with the long standing practice of writing insecure code.

NX will prevent buffer overflow attacks. NX will not be able to determine whether a program you choose to execute is good or evil. Viruses existed and managed to propogate back in the days before the Internet or even networking were in common use. NX won't solve all security problems, but it is a good tool to help reduce the possibility of remote exploits.

The NX flag isn't new, it's just new to the x86 world. Kudos to AMD for being the first to add this to the x86!

Re:Difference between NX and protected mode bits?

[fatphil]

Bollocks.

i386 _does_ have support for segment-level distinction between data and executables. i.e. an "execute bit".

In fact it's bit 43 of the segment descriptor. (Documented typically as 'bit 2' of the 'type' field, which is bits 41-43.) 1 means executable, 0 means data.

If your OS does not utilise all the features made available to it by the hardware, then don't claim the hardware doesn't support the feature.

Would moderators who up-modded the above misinformation please like to contribute constructively or humorously to this thread so that their moderation gets undone, please?

Re:Difference between NX and protected mode bits?

[fatphil]

As a long time happy linux user, but also a kernel author (not x86 though, C80), I can't share your positive attitude towards linux on this issue.

Linus sloppily decided to avoid _almost all_ of the protection mechanisms that the 386 makes available to the system. That's why you can smash the stack for fun and profit. He chose to let CS access the same pages as DS (and SS,ES,FS,GS), whe he could have allocated some linear addresses as code-only, and others as data-only. After that you simply need to ensure that no CS ever was given access outside the executable range, and no other segment was given access in the executabe range.
And you can ensure this - as you, the kernel, are entirely in charge of setting up user-space descriptors.

To do so would have added a bit more complexity to the memory management (with lower case letters) part of the kernel, but would have prevented all smash stacking and heap smashing attacks.

Linux is not _technically_ as good OS at all. It's simply _practically_ (for people like me) a good OS.

Tannenbaum is still right. (And when Tannenbaum says "run 20% slower" he means "take up 0.6% of the CPU rather than 0.5% of it, thus giving apps 99.4% of the cpu rather than 99.5%. But that's another rant.)

FP.

Re:Difference between NX and protected mode bits?

[evilviper]

This is just an attempt by the hardware developers to patch problems made by the software developers.

Well, this is pretty low-level hardware operation-type stuff we are talking about. If you call this feature a "patch" that shouldn't exist, then you could say the same thing about processors knowing how to do almost anything at all... Those lazy developers don't really NEED a subtraction function on the processor. Those software guys don't NEED a BIOS to interface with the hardware. Those software guys don't NEED the hardware to help deal with memory access, hardware addressing, etc.

There are a billion things that can be handled by software, but are more suited for hardware. This is further into the "hardware" catagory than any of the other hardware features I mentioned.

Personally, I think you probably don't have any idea what you are talking about. This is a hardware/software interaction problem, and you are complaining, saying that software developers should spend massive ammounts of time, effort, and money dealing with this in software, rather than spending a clock-cycle on the hardware solution. You've got a really twisted view of things, I have to say.

Re:Difference between NX and protected mode bits?

Basically it makes a virtual von neuman arch. What can happen, though, is a trojan with an executeable bit could alter the no execute bit for malicious data to allow it to be executable. If the cracker is really clever they will alter the windows check for the bit.

NX Virus....yay

[celeritas_2]

I personally can't wiat until some great evil makes a virus harnising NX to say.....block the execution of MSIE .....widespread luser panic is always fun

Re:NX Virus....yay

LOL block IE because it's DANGEROUS LOL LUSERS LOL BILLGATES M$.

You're fucking pathetic. Throw yourself off of a goddamn bridge.

Re:NX Virus....yay

Not exactly about to happen because it isn't practical to implement. Sorry to burst your anti-M$ bubble.

Re:NX Virus....yay

Uh... NX doesn't really work that way dumb ass. Besides, doing so is quite trivial without NX anyway. It's called ntfs ACL's. That stands for Access Control List incase you're retarded (which you probably are).

Re:NX Virus....yay

ACLs don't stop CURRENT viruses. How would they stop future ones?

Re:NX Virus....yay

Jesus christ, you cockspank, he's talking about using ACL's to remove execution priveleges from IE.

The NX Bit...

[zoloto]

And I always wanted processor support for the Evil Bit. Dang.

Re:The NX Bit...

AIDS=Apple Infected Disk Syndrome

Read the Jargon File lately?

Re:The NX Bit...

[zonker]

quick! better hack the gibson and write that nasty killer virus that will take over the worlds communications networks and put a penny out of every porn website transaction into your bank account before they enable the nx bit! man oh man, my bud teh cereal-killer is gonna be so m@d!

Re:The NX Bit...

[Beryllium+Sphere(tm)]

>And I always wanted processor support for the Evil Bit. Dang.

Silly person, the evil bit is part of the network packet and should be handled in the routing fabric instead.

Remember kids...

... NX support is not an excuse to write potentially unsafe code.

Re:Remember kids...

[Moraelin]

That is a great lesson, no doubt. One that more people would do well to keep in mind.

However, bugs happen when writing code.

Worse bugs happen when someone modifies code they don't understand. Some code depends on non-explicit assertions, such as an array size being already checked somewhere else, or some buffer being already initialized somewhere else. The maintenance programmer sees the code like through one of those cardboard tubes in toilet paper rolls, so he/she can easily miss such dependencies. When a change shortcircuits such a non-obvious check, shit happens.

E.g., true story: someone once "optimized away" the initialization of one of my decompression buffers, right before a release, but it never occured to them to also change the compression algorithm to not depend on a pre-initialized buffer. Such dependencies are probably the easiest kind to miss, because nowhere did a compression method call a decompression one, nor viceversa. You can go with a debugger through the code all day long, or make class diagrams, and never occur to you that two files are related.

(Rant: I remember it because then he made a big fuss and threatened to fire me, sue for damages, and whatnot, because "my" code didn't work. It's one of the kinds of behaviour that gives some people a PHB name.)

And it doesn't help that, in pursuit of some misunderstood cutting costs, companies:

A. hire the cheapest incompetents, who'll do worse mistakes. Which might still be ok, except,

B. they never plan for a proper testing _and_ debugging phase (no, a week tacked at the end for QA doesn't suffice)

C. nor for code reviews

D. nor for comprehensive unit tests. And even worse,

E. they accept (or in the case of client PHBs request) tons of changes without also requesting extra time for them, and then you're actually expected to do the quickest hack that could possible _look_ like it works. Remember: those deadlines must be kept at all costs, even if the client gets a piece of untested unstable crap.

F. the ever increasing reliance on buying some magical "+3 cloak of bug avoidance." Thinking that merely using some framework or library magically makes all problems go away. E.g., "it's Java, so we can't possibly have exploits or memory leaks" or worse "we use HTTPS, so we can't possibly have a security problem" or my pet peeve "it says 'enterprise' on the box, so it's inherently safe and scalable."

This kind of religious faith that just buying some magical talisman makes all problems just go away on their own, without any human responsibility or intervention, serves just to lull one in a false illusion of safety. It's probably the number 1 cause of errors A to E.

Darn.

[sploo22]

I noticed Slashdot was down for a few minutes just prior to posting this. I'll assume they were upgrading their servers.

So does this mean I'm out of luck with all those shellcodes I keep posting in my comments?

Re:Darn.

[sploo22]

Yes, I do. It was a JOKE. You really want me to spell it out for you? I was implying that I'd been hacking Slashdot regularly but now the new NX protection was stopping me. Happy?

no execute support new? Nonsense !

[Timber_Z]

Windows has supported that for years.

Why just yesterday it stoped executing for no particular reason.

Re:no execute support new? Nonsense !

[boarder8925]

Why just yesterday it stoped executing for no particular reason.

--second ago it stopped exe--

Re:no execute support new? Nonsense !

[Alien+Being]

"no particular reason"

Hmm, last time I used MSWindows, it said "General protection fault" and now it just says "no particular reason".

Congrats Bill, you truly are an industry something-or-other.

Re:no execute support new? Nonsense !

[0racle]

On a far more serious note, XP SP2 adds this same functionality, except its only supported on the newest processors from AMD, the Athalon64 and Opterons. So does this, and the support for it that OpenBSD added to the i386 port, have the same limitation?

Re:no execute support new? Nonsense !

[tepples]

From what I've read, NX support on older i386 CPUs either 1) puts all of a process's code below the code segment limit (1 GB) and all data above that, with an unmapped gap in between, or 2) hooks into the translation lookaside buffer (the cache for virtual memory page table lookups) at a speed cost.

Re:no execute support new? Nonsense !

[0racle]

So what processors does this and OpenBSD enable NX on? Seriously, I'm having problems finding a straight answer. I didn't notice a performance decrease from OBSD 3.3 to 3.4 but my system isn't really doing much.

Re:no execute support new? Nonsense !

[sirsnork]

For the record. Only AMD64 based CPU's currently have support for this on x86. Intel and Transmeta's next generation chips will also support it. No previous CPU's will.

Re:no execute support new? Nonsense !

OpenBSD is able to do this a Sparc and Sparc64 (and AMD64), since they support a per page no execute bit. Through devious cleverness, they were able to achieve similar functionality (not quite as good, but certainly an big jump on other OSs on the same architecture) even on i386 (which doesn't have a per page execute bit).

Re:no execute support new? Nonsense !

[mczak]

Transmeta's implementation works also for current generation efficeon chips, since it's 100% "firmware based" (in their codemorphing software). Source (german):
mczak

Per-segment vs. per-page

[tepples]

Standard 386 protected mode controls per segment, where CS (code segment) is executable and DS (data segment) is writable. However, many 32-bit operating systems use a so-called "tiny" memory model, setting CS = DS, and the 386 allows for turning off read and write privileges per page but not execute privileges (if you can read a page in an executable segment, you can execute from it).

However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.

Re:Per-segment vs. per-page

[forkazoo]

However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.

data char* temp = new data char[len];
executable char* code = new executable char[len];
int function() = code;

compile(javasrc, temp);
copy(temp, code);
function();

From what I've heard, allocations will default to non-executable, but there will be some sort of API that allows executable space to be allocated on every OS that deals with NX bits. You will probably also see WinXP and the like with the ability to "Run this program in compatibility mode..." until the developer updates to deal with the tweaks made in the updates.

Re:Per-segment vs. per-page

[tepples]

compile(javasrc, temp);
copy(temp, code);
function();

And watch as NX::copy() has a huge overhead from going into kernel space and back.

Re:Per-segment vs. per-page

[yudan]

in this part of code "copy(temp, code)" you are writing code segment. This is not compatible with NX bit.

Re:Per-segment vs. per-page

[Alan+Cox]

NX is page table level. It is very hard to make use of segment based protecting in operating systems using 32bit flat paging modes (like all of the modern ones). Solar Designer produced some patches that try and do this at least for non exec stack but they require magic kernel side exception fixups.

Re:Per-segment vs. per-page

[MobyTurbo]

However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.

I have heard this is a serious problem for LISP as well. I hope, for the sake of these platforms, that W^X, which seems to be the future for most operating systems will have some sort of loophole for the neat and useful computer language features that aren't compatabile with it.

Re:Per-segment vs. per-page

Of course, by "copy()", grandparent meant a special kernel call that can make an executable page temporarily writable.

Re:Per-segment vs. per-page

[hobo2k]

Applications which write code at runtime should have no trouble if they were developed properly in the first place!

In windows, the function VirtualAlloc has has always expected you to specify the level of protection for the memory page(s) you are allocating. These options include read,write, & execute in any combination.

The programmer should have used this. (sorry, don't know if unix mmap has the same options).

Re:Per-segment vs. per-page

[sjames]

From what I've heard, allocations will default to non-executable, but there will be some sort of API that allows executable space to be allocated on every OS that deals with NX bits.

Fortunatly, Unix already has an API for that, both mmap and mprotect have the PROT_EXEC flag. There may be a few apps that get into trouble for not using it where it's needed since on x86, it's effectively been always set up until now.

Re:diff?

[sploo22]

Did you even look at it?

$ wc -l nx-2.6.7-rc2-bk2-AE
518 nx-2.6.7-rc2-bk2-AE

It's smaller than most, but still not exactly trivial.

There you go

... all those fellow /.'ers who cried out loud "we don't want no DRM" when they first read the titles of the stories about NX support in upcoming procs, without even bothering to understand WTH NX is for, and kept and kept writing idiotic comments about how evil Windows must be because it now supports NX (which they seriously thought was some form of ah-so-evil DRM feature)

See, NX is a good thing, now even Linux has support for it :) I am happy that you will now have an opportunity to open your minds to this fine new technology.

Cheers.

Re:There you go

[Jeff+DeMaagd]

Well, hey, now maybe we can hope for some other distribution to include this, hopefully one that doesn't suddenly yank their maintainance support out from under you only sixteen months after introducing a product?

Re:There you go

this fine new technology.
WTF are you talking about? Many non-intel procs support something like this for ages...

Re:There you go

[dont_think_twice]

I am happy that you will now have an opportunity to open your minds to this fine new technology.

Yea, right, open my mind. Haven't you ever heard of cognative dissonance? It means I can hold two contradictory thoughts in my head and not be bothered. So Microsoft is evil for including NX, and linux is awesome for including NX. What do you have to say to that?

Re:There you go

I say you've got your terms mixed.

Cognitive dissonance is when your mind makes automatic connections with senses and certain words/concepts, and then is presented with their opposite. For example, the word "red" printed in blue.

Doublethink is the act of willingly believing that two contradictory concepts are simultaneously true. (The word has entered common language, enough to appear in all three major English dictionaries, after initially appearing in George Orwell's dystopian story 1984.)

Cognitive dissonance is a nifty study of our brain's ability to link concepts. Doublethink is the mark of a retard.

Re:There you go

[kfg]

It means I can hold two contradictory thoughts in my head and not be bothered.

No, cognative dissonance is specifically the being bothered about it part of holding two contradictory ideas at the same time.

That doesn't mean you stop holding one of the ideas. I means you kick the dog and then post an AC rant.

KFG

Re:There you go

So, give us some pointers please. Otherwise, you're just one more troll.

Just don't add "Halt and Catch Fire" Instruction

[xmas2003]

I just hope that with all the overclockers out there, they don't add support for the Halt and Catch Fire Instruction ;-)

Seriousely, the NX stuff is a "good" thing to add to slow down malicious code - the only thing better would be a HULK Instruction which would SMASH Puny Human malicious code ... ;-)

A cross between...

[3)+profit!!!]

This "NX" stuff to separate data and instructions is sort of like crossing current CPUs' Von Neumann architecture with a Harvard architecture type of chip, where the storage is actually separate from the executable code.

Re:A cross between...

[awkScooby]

This "NX" stuff to separate data and instructions is sort of like crossing current CPUs' Von Neumann architecture with a Harvard architecture type of chip, where the storage is actually separate from the executable code.

Actually the 386 in protected mode with segmentation is closer to a Harvard Architecture than what you get with the NX bit. Create 2 segments which split memory in two pieces. One is a code segment which is executable but not writeable, and the other is a data segment which is readable and writeable but not executable.

Fine No Execute

[oldstrat]

This is all well and good, but is certainlly not a panacia.
No execute means that somewhere, somehow there will be an override and the day the override is used the virus' will follow by tricking (and explaining how) to the user why this is needed and bingo, it's in.

And of course I could be completely wrong in that this no execute bit does not exist on older processors and that in itself is going to cause problems. Intel has xbit on newer processors, but what about AMD, VIA, whoever else? Is this part of the Intel half of the WinTel duopoly?

I think it's probably a good idea, but I'm suspicious.

Re:Fine No Execute

[Cyph]

AMD has No Execute on Athlon 64 processors, so it's certainly not an Intel specific thing. As the Slashdot blurb mentions, Transmeta recently added it as well. But no, older processors do not have No Execute on it.

Re:Fine No Execute

I don't think viruses tricking users is that big of a problem, because there's a lot more dangerous things that viruses could ask users to do.

And if you read the article, it's on AMD and Transmeta too.

Re:Fine No Execute

Non-executable stack isn't the same as W^X. Check openbsd.org for a decent explanation, they have had non-executable stack and heap, plus W^X, pro-police and a few other tricks to make exploits harder as standard features for ~1 year now.

Re:Fine No Execute

[explorer]

Right, all AMD K8-class processors have the NX-bit already. And despite the Intel-centric spin on the ZDNet article, the fact is that Intel has only announced that support for it is coming in future Intel parts. Unlike AMD, it doesn't appear you can buy any CPUs from Intel that support the NX bit today.

In other words, Intel is playing catch-up.

And note the comment in Ingo's linux-kernel posting that refers to the "existing NX support in the 64-bit x86_64 kernels ... written by Andi Kleen". I.e. NX-bit support was already available to AMD64 owners running 64-bit linux kernels.

Re:Fine No Execute

[0racle]

NX is not a new thing, and neither Intel or AMD did it first. SPARC's, UltraSPARC's and Alpha's have had this for some time, and it wouldn't surprise me if its in the Power chips as well.

As far as it not being on older processors, I assume you mean older ia32's, and surprisingly this was brought up in a MS TechNet event I was at on Thursday. I don't know all the details, but he presenter said it was in older chips, at least back to the original Pentium if I remember, but with the way ia32 chips do paging, it was never implemented in the OS's until recently, which i can only assume the Athalon64, Opeteron and Itanium do this differently, but don't quote me on that.

Personally, I'm just wondering exactly what ia32 chips will Linux and OpenBSD use NX on.

Re:Fine No Execute

[kasperd]

somehow there will be an override and the day the override is used the virus

First of all you shouldn't expect the NX bit to do any good against a virus. A worm OTOH might be stoped by the NX bit. OK I'll assume you mean the worm would use a way to override it. If it could be disabled per executable like execshield on Linux, you could only exploit vulnurable programs with the security feature disabled. So if the vulnurable service is running with the security feature enabled, you cannot disable it, unless you already control the machine. So it doesn't help a worm gaining control.

What are the chances the vulnurable service would run with this security feature disabled? Not large, because you would only disable it, if the service didn't work otherwise. And the number of programs breaking in case of Linux is not large. Fedora Core 1 has exec shield which does a best effort at implementing this without specific hardware support. Arjan van de Ven explains that hardly any program broke. Ingo Molnar explains in a bit more detail, that the X module loader was the only program breaking. (Some other programs broke for other reasons). So when it is only one program breaking, you fix it, rather than starging to disable this security feature.

However as Linus has explained, there are ways to exploit a vulnurable service in spite of NX. This specific attack relies on using /bin/sh, which means it wouldn't work against Windows. But anybody who knows as much about Windows as Linus knows about Linux would surely be able to come up with a similar attack against a Windows service. For example there is probably a function you can call to change the protection bits on a memory range. So you first fill code in the buffer, which cannot be executed at the moment, the return address you overwrite with a pointer to this function call, and you provide it parameters specifying to make the buffer executable. The return address from the function call then just needs to point to the buffer.

Re:Fine No Execute

[IamTheRealMike]

Personally, I'm just wondering exactly what ia32 chips will Linux and OpenBSD use NX on.

New ones. People will buy them because they want "Enhanced Virus Protection".

In the case of older chips: well, that is what exec-shield is for.

Re:Fine No Execute

[TheLink]

The pushing parameters onto stack before calling a function sounded rather kludgy to me when I first learnt about it years ago.

Why don't people use different stacks for return addresses and parameters/variables?

That way one reduces the chances of "running arbitrary code of the attacker's choice". In event of a bug the attacker is more likely to only easily "overwrite/specify arbitrary paremeters/variables for existing functions". Which seems magnitudes safer.

Re:Fine No Execute

[iabervon]

It gets substantially better when the system also messes with your memory layout. There's also a patch to randomize the locations where libraries and sections of the binary are loaded. If you don't know where the code is, and you don't know where the strings are, and you can't insert any code that will be executed, you have a very small chance of exploiting the program, and you only get one chance before the program crashes. And next time, the libraries will be loaded differently.

Re:Fine No Execute

[HiThere]

You mean like FORTH?

It's not really a bad idea, but I'm not at all sure how easy it would be to implement with the current compilers & code-base. I suspect quite difficult. The NX bit is probably transparent on systems that don't have the capability, which a dual stack system wouldn't be. (OTOH, a dual-stack system wouldn't need to depend on new CPUs.)

Re:Fine No Execute

[sjames]

You mean like FORTH?

Exactly like FORTH! The fact that FORTH runs on nearly anything shows that hardware support isn't required, but having explicit support for a data stack might be interesting for performance.

Although it would be a bit of work, with a modified kernel syscall and gcc, it could be implemented on existing hardware.

Re:Fine No Execute

[TheLink]

Well the gentoo guys probably won't mind recompiling everything ;).

As for FORTH - I heard it's still vulnerable to buffer overflows.

Plus if you're not careful the fact that typically code=data in FORTH just creates the same problem in the next level. Joe Programmer may not know to use different "dictionaries" or whatever they call those, to isolate things.

A while back I crashed a forth webserver on my first try (zhttp). Sent a single quote to a http basic-auth password prompt... It really crashed too. Doh.

Re:Fine No Execute

[arhra]

ia32 has always had the ability to mark memory non-executable at the segment level, but mucking about with segments is a pain in the arse, and something that most people were happy to leave behind in the 16bit days, so most OSes just use a single 32bit segment as a flat address space, and it's never got much use. It's by doing tricks with segments that OpenBSD's W^X and the various things in some RedHat kernels, etc, work, but they're not nearly as straightforward as having proper support for per-page control over executability.

Re:Fine No Execute

[HiThere]

I didn't mean use FORTH as the language. That's just slightly better than using assembler. I meant "Is this the kind of system you mean?". Actually, if one wanted to implement this, it would take more than two stackes for security. One stack would be solely for executable addresses, One stack for integers, and one for floats. (One could probably get away with mixing characters and integers, but string references would need to be to executable addresses...still, each character retrieved from the string would need to be on the integer stack.)

It's possible that such a system could be designed to always keep data and code separate without the need for either architectural changes or for marking entire pages as non-executable. But I'm not convinced that the additional complexity wouldn't be so expensive in other ways (integrity checks?) that it isn't cheaper to go with the NX bit. Still, I can see a variant of the system where each routine maintains it's own set of five stacks (two integer stacks, two float stacks, and one executable address stack). The problem would be to find some efficient way to hold more than two stacks...one would need to know how large each stack could get, or one would need some way of resizing the stacks...and that could rapidly get expensive in CPU cycles (or RAM if one allocated so that resizing would be rare).

This is the kind of thing that one wouldn't want to see in the middle of a frequently executed loop.

Re:Fine No Execute

[TheLink]

Well having a separate address stack may make it easier for the CPU to figure out program flow. So the performance hit might not be that bad.

As for the other stuff, I think just a single general parameter stack may be good enough - let the programmers figure out what they want to pass to routines and how they want to do it.

Shouldn't be too difficult to detect if the stacks collide. Start and current pointers for each of the two stacks, or something similar. Load in the pointers for each context switch.

This way you can make it very very hard to screw up the address stack and return to a /bin/sh call or something silly (Linus's example). The NX bit doesn't stop that sort of attack. Without separating the stacks you'd probably need to do stuff like canaries/checksums to detect stack corruption.

I doubt this separate stack stuff will get into any x86 tho ;).

Comment removed

[account_deleted]

Comment removed based on user account deletion

JIT Compilation/Interpreters

[MntlChaos]

How would Just-in-time compilers and interpreters work? If I understand this correctly, you can't write data to executable areas of memory, but then how do you run instructions that are written to memory!?!? Could someone explain?

Re:JIT Compilation/Interpreters

[TummyX]

Um. Well obviously there will be APIs to mark data regions as executable or to allocate executable data regions. The later would be better cause then you could better ensure that offflows from non-executable data regions won't overflow into executable data regions.

Re:JIT Compilation/Interpreters

The JIT Compiler writes its output into a writeable data segment. Then the JIT controller makes an operating system call to change the mode of that segment from "writeable data" to "unwriteable code". Then the JIT interpreter runs the "unwriteable code".

Re:JIT Compilation/Interpreters

And on any POSIX-conforming system there already is an API to mark data regions as executable. Indeed the "API" has been there for decades: it is a single kernel call mprotect(address, length, protection). The third argument is a combination of the flags PROT_READ, PROT_WRITE and PROT_EXEC with obvious meanings.

Perhaps the marketing people that came up with "NX technology" should be told that there already are two similar page table bits that haven't been properly marketed.... They could call them "ReadGuard technology" and "WriteProof technology". I think consumers would go for them if these little-known technologies were associated with proper privilege separation and fluffy bunnies.

Re:JIT Compilation/Interpreters

[ModMeFlamebait]

And now s/JIT [\w]+/malicious code/g. Where's the protection? IMHO this should be set on a case-by-case basis (a'la chpax), so that you *know* you get executable data.

Re:JIT Compilation/Interpreters

[Rick+and+Roll]

There are a lot of people who don't seem to understand this. A buffer overflow usually happens when a person hacks into A LEGITIMATE RUNNING NETWORK PROGRAM THAT HAS A BUG. For example, a bug like this was just found in the CVS server. There are likely dozens of exploits like these that the general public doesn't even know about, that people are using to spy on other computer users. It is a serious security issue that can even plague the computer savvy.

On the other hand, if a person doesn't know the risks of running attachments and such, they may *choose* to execute a program, giving it full or user permissions. That program can do a lot of damage. If a person downloads and runs a full-blown executable from an untrusted source, they are out of luck.

In my opinion, this is the way things should be, and people should be smarter about downloading and running executables. Two more things: I would like to see Windows users running the majority of programs under user permissions (as is done under UNIX), and it would be wise for people to do regular backups.

calling it a "technology"...

[dekeji]

Calling it a "technology" I suppose detracts from the fact that the lack of an executable bit in x86 page tables is a deficiency. You see, this "feature" has been around since, oh, the middle of the last century, and many processors other than x86 have supported it without even considering it worth mentioning.

Re:calling it a "technology"...

[Fweeky]

A friend of mine with a lot of experience with x86 assm claims the architecture already supports non-executable memory areas anyway. I wonder if he can find a reference.. maybe it's just not fine-grained enough (i.e. per-page) to be useful?

Re:calling it a "technology"...

[Fweeky]

Never mind ;)

Space the Final Frontier...

[Quantum+Jim]

I'm Captain Jonathon Archer of the starship, Red Hat Enterprise, NX-01 class security. ;-)

AMD once again taking the lead.

[l0ungeb0y]

"AMD's Athlon 64 and Opteron processors have had NX since their debut, though the extra bit won't do anything on a Windows XP system until you obtain and install Service Pack 2. Intel is expected to add NX (or XD) to the next generation of its 90-nanometer-process Pentium 4 "Prescott" CPUs -- bundling the security enhancement with a larger 2MB Level 2 cache and perhaps a faster 1066MHz front-side bus -- in the fourth quarter of this year."

This year has truly been AMD's year to guide the microprocessor market. Remember not so far back when everything AMD did was a response to Intel? This year it's been Intel responding to AMD. I hope this trend continues as it shows that the so-called WIntel stranglehold is starting to crack and that it is possible for the competition to assume a leading role in the market. Now hopefully, IBM has something in the works for it's PPC/Power lines, as they've been working closely with AMD and this processor feature is something that every networked system could use.

Re:AMD once again taking the lead.

[Dachannien]

At this point, it doesn't really matter, because they're all going to screw us over with Trusted Computing soon enough.

Re:AMD once again taking the lead.

[evilviper]

Remember not so far back when everything AMD did was a response to Intel?

Including the stupid stuff, like switching to "slot" processor/mobo interfaces...

Well, on the plus side, AMD learned very well from their mistakes... After that, they've stuck with "Socket A" this whole time, while Intel conituned the madness, switching to a different socket every month it seems.

Then again, AMD64 seems to have put them back in the mad mindset again, having 3 different sockets for their parallel chip lines. Hope they stay as smart as they've been and iron that out right away...

Re:AMD once again taking the lead.

[cadence007]

Actually, when Intel switched to the Slot 1 design, AMD had no choice but to design their own slot, since Intel purposely denyed licensing by other processor companies (unlike the socket 370, which was licensed to cyrix (joshua cpu's) and via (C3 cpu's). The AMD Slot A's were very short lived, from 12-18 months, offering up 500mhz to 1000mhz models, near the end of which, they started offering the new PGA Socket A processors. The blame for the slot/socket fiasco lays solely on Intel in this case.

Re:AMD once again taking the lead.

[evilviper]

The blame for the slot/socket fiasco lays solely on Intel in this case.

Not at all... AMD could easily have stayed with the Socket method, rather than switching to a Slot processor interface.

Compatibility between different Slot interfaces is completely irrelivant.

A Problem or Not?

[tetrahedrassface]

Who defines what is malicious? Is it outwrite malicous activity (READ intrusion and destruction), or code that is identified and peer reviewed as malicious? I just want to know who is deciding what can go on my box and why. Will mp3's be one day named malicious because the code may or may not infringe on patents? Or is this truly a stop-gap measure to prevent getting rooted? What about patent infringements? Im sure some quarters would say that is malicious indeed. Just a question after my beers. DB

Re:A Problem or Not?

[lachlan76]

The malicious code is the code which runs in an area of memory where it shouldn't be (meaning executes a buffer-overflow attack).

Kernel 2.6.6 included a x86_64 NX patch

This new patch is to support NX in 32-bit processors or 64-bit processors running in 32-bit mode.

The 2.6.6 kernel already included an NX patch for x86_64. Details are in the "Non-Exec stack patches" LKML thread here.

A troll or not?

Who defines what is interesting? I just want to know who is deciding what posts are interesting and what is not. Because this poster has no fucking clue what he's talking about.

Mod Parent Up

Yes, I sincerely agree. Unfortunately this usage error of the word is now so widespread, I fear nothing can be done anymore.

Looks like only the wise understand the distinction among "tool" and "feature" and and "technique" and "technology", but the rest of the people who gather their world knowledge from buzzword driven press articles will keep thinking that Visual Basic is a "technology" as well as Java.

Actually it would be interesting to discuss how the scopes of these 3-4 concepts should be in the area of computers.

Here you go...

[SoSueMe]

Some legitimate programs, such as Java compilers that perform just-in-time code generation, execute instructions within data areas -- and will have to be rewritten for Service Pack 2. But the most common exploiters of x86 architecture's porous program and data boundaries are applications (called, as a matter of fact, exploits) that perform buffer overrun attacks -- one-two punches that first flood a program's input area with more data than it's designed to handle, then deliver a poisonous executable payload. ..........

Software developers will be able to selectively disable execution protection for 32-bit applications, using a DisableNX fix in SP2's compatibility toolkit, and end users will be able to switch the feature on and off for the entire system or for individual applications (like those Java compilers) via a new Control Panel dialog box, similar to those for SP2's beefed-up firewall .

Re:Here you go...

[m_pll]

Some legitimate programs, such as Java compilers that perform just-in-time code generation, execute instructions within data areas -- and will have to be rewritten for Service Pack 2.

Of course, if those programs were written correctly in the first place they wouldn't need to be fixed to work on NX platforms.

Win32 has always had PAGE_EXECUTE flag, and if you wanted to execute dynamically generated code you were supposed to include this flag when allocating memory (or use VirtualProtect afterwards).

Most people didn't bother with PAGE_EXECUTE because it wasn't enforced on x86. But technically it's always been required.

NX, Impressive! The processor has learned well!

[doublebackslash]

Now it is time for you, young grsshopper, to learn as well.
translation:
Malicious code executing itself via a buffer overflow is actually one of the lesser evils in the virus world. Most users will gladly allow anything to run on their box, especially if it does something cool (time, weather, cutesy things, etc), and with everyone being root on Windows boxes, this means the program can do whatever the hell it wants and windows won't say anything/much.
The NX bit is great, especially for servers where generally the only kind of attack is a buffer overflow. Like I said the procesor has learned well, but the users must learn also.

Will performance decrease?

Due to overhead, if any!

Re:Will performance decrease?

[kasperd]

Performance will not be significantly affected. When the CPU is executing it doesn't need to check instructions as long as they are in the instruction cache, because you wouldn't allow the instruction cache to load from nonexecutable pages. So as long as you don't have any L1-cache misses, there would be no difference at all. Once you miss the L1-cache and have to go through paging to the L2-cache, the hardware will be different, but the NX logic would be pretty simple and mostly relying on paging logic already in place. So also at this point there would be no difference. And I really mean no difference, the same piece of code will execute in exactly the same number of clockcycles in both cases. (As long as there are no bugs causing the code to attempt to execute nonexecutable pages of course). I haven't seen the NX logic, but I guess if you saw the piece of hardware we are discussing and then compared it to the rest of the paging logic, or even the rest of the CPU, I'm sure you would say: "What is all the hype about?"

So the only place where there would be even a theoretical possibility to meassure a difference is the code responsible for creating the page table entries. This is already in one of the expensive code paths, which you avoid as much as possible, so one extra line of C code to set the NX bit shouldn't give a meassurable difference.

definitely helpful but no silver bullet

[The_Bagman]

This is basically an "execute / no-execute" bit in the page-table entries. It means the OS can mark portions of an application's virtual address space as non-executable - such as pages in the heap or the stack. It'll help against buffer-overflow attacks that put new assembly code in the stack and return into it. It won't help against buffer-overflow attacks that return into existing code (e.g., to do a system call). It won't help against worms that take advantage of meta-character expansion vulnerabilities. It won't help against scripting flaws (such as javascript, active-x, or visual-basic/outlook vulnerabilities). It won't help against weaknesses in the OS itself.

Think of this as raising the bar. Of course, the "clever" attackers will still find flaws, and still write code for the script kiddies to use to exploit them.

Intel wrote Linux wireless support?

[rimu+guy]

http://zdnet.com.com/2100-1104-5227102.html:

In addition to the NX work, Intel this year released prototype wireless network support--albeit nearly a year after full-fledged support was available in Windows.

Don't they mean that Linux had new wireless network support this year? Or was Intel the wireless support contributor for Linux? Either way I think the sentence is in error. Though I'm probably just being pendantic for raising it.

---
VPS Hosting

Re:Intel wrote Linux wireless support?

[VertigoAce]

From the link it is just referring to support for Intel's Centrino processors. Intel is responsible for the wireless support under Linux for the integrated wireless found in some Pentium M systems.

One step at a time

[SoSueMe]

This, to me, seems like just one more slow, inexhorable step towards "Trusted Computing".

Re:One step at a time

[Dwonis]

"Trusted Computing" has a lot of useful applications, such as in creating large distributed computing networks and online voting, using "trusted third parties" (TTPs). That is, provided it has support for multiple TTPs which are selected by the end user.

Re:One step at a time

[Xenographic]

Then you must have no clue what it is.

It stops you from accidentally executing your data (e.g. buffer overflow onto stack).

Open BSD has it. It's a security enhancement. Even if you're running windows, you don't want buffer overflows. It's good. It's not DRM.

Re:One step at a time

[sjames]

It has little or nothing to do with "Trusted Computing". The OS is free to set or clear the NX bit as it sees fit, including at the command of the user. "Trusted computing" is more like having a ring -1 and the OS being powerless to do anything about it.

From the same creators...

[dark-br]

...of the Evil Bit?

Exciting news...

[rice_burners_suck]

I'm glad support for this is finding its way into Linux. I think OpenBSD has had this for a while now, as part of ProPolice... I'm not sure about that though.

From what I've read, it certainly makes sense to break a few apps for this functionality, as you can always run them in a build without it. Things should be a lot safer, as crap like buffer overruns from carefully formatted input strings can no longer contain executable code.

I think this should be available for individual programs to set the NX bit on memory pages that should only contain data, so, for example, when you download a file, it is impossible to execute it (say, while in memory) until you save it and explicitely set the execute bit. In other words, there is a completely non-executable path for all untrusted code from its inception until the user explicitly makes it run. Now, when some Joe Luser clicks an email attachment virus made for Linux, if this ever happens, it will be very difficult for him to make it run, and hence, it won't. Add to that the protections inherent in all Linux systems (multiuser permissions, heterogeneous configurations, etc.), and it's very unlikely that Linux users will experience the kind of crap that Windows users have to put up with on a daily basis, even if Linux somehow gains a huge market share on the desktop.

These are exciting times.

NX and Self Modifying code

[execom]

It might be a bit 'off topic' but the draw back of NX is that self modifying code is no more supported.

Although, I don't know if SM code is supported on Linux - Under Windows you had to use 'VirtualProtect with PAGE_READWRITE -, anyway it's a bit 'outdated' technique - lot of cache misses issues, Intel was against SM code, although i used it a lot a long time ago). So it shouldn't be a real issue.

The question is : can NX will disable with the (root) user under Linux, as it will be under WinXP SP2 ?

Re:NX and Self Modifying code

[Animats]

Modern x86 CPUs go to incredible lengths to support self-modifying code. PowerPCs, by comparison, don't support it at all; they have separate instruction and data caches. If you modify code in a PowerPC, you have to flush the instruction cache or it won't work. There are system calls for this under the MacOS. And nobody notices. In fact, the PPC 601 didn't even have the instruction cache flush instruction. For some years, Linux for PPCs had to flush the cache by preventing interrupts and loading a big block of junk data to invalidate the entire data cache. About the only time this is done is during fork/exec sequences.

There's some history of self-modifying code from the 16-bit DOS world, but it's probably time to kill that off.

It's been a long time since self-modifying code improved performance. Today, self-modifying code on an x86 machine works something like this.

• The processor is going along, fetching ahead perhaps ten instructions, and executing as many as possible simulataneously. Ten to twenty instructions may be in the pipelines. The retirement unit is running ten to twenty cycles behind the execution units, committing results back into cached memory and registers once all possibility of trouble has passed.
• Trouble usually comes in the form of mispredicted branches, which are handled reasonably efficiently using cached bits that record which way the branch went the last few times. Less common is an exception, like a floating point overflow, which looks like a forced branch. Least common is a modified instruction.
• The superscalar x86 machines (Pentium Pro/2/3/4 and later) check for modified instructions. Storing into an instruction immediately ahead will be handled properly. People on the Pentium Pro team sweat blood over making this work right. And it does work. But not rapidly. The retirement unit views the instruction as an "operand" for collision detection purposes, so a change to that "operand" invalidates all the results that depend on it.
• The CPU then has to deal with the mess. Retirement stops. Instruction fetching stops. The pipelines are flushed. The functional units are idled. Instruction fetching is backed up to the modified instruction and restarted. The CPU pipelines refill with the new program. After a few tens of cycles have been lost, instruction execution is moving forward again.
• In AMD land, it's even worse. AMD's approach to superscalar CPU design involves expanding instructions into a RISC-like fixed length form at cache load time. Storing into an instruction not only requires flushing the CPU, but the whole block of instructions has to be reparsed.

So, in general, self-modifying code is not going to help performance. Generating blocks of code and then making them executable is fine, but changing code you're about to execute went out with "ALTER paragraph-name TO PROCEED THROUGH paragraph-name" in COBOL.

Re:NX and Self Modifying code

[Alan+Cox]

Under Linux at least you can ask for executable mapped pages. This is what the fixed X loader does for x86 now. Most non x86 processors have execute bits on page table entries and POSIX/SuSv2 therefore have a MAP_EXEC bit in mmap so you can say "I want to run this"

Re:NX and Self Modifying code

[fatphil]

"PowerPCs, by comparison, don't support it at all; they have separate instruction and data caches."

WHat kind of a comparison is that? Some x86 implementations have separate instruction and data caches. P4s even have caches of uops (pre-decoded instructions) instead of the actual instructions - i.e. the data cacha and instruction cache store completely different things. Others have instruction caches and data caches with different associativities, which means that the two behave differently. You've entirely failed to make a contrast between PPC and x86 here.

"If you modify code in a PowerPC, you have to flush the instruction cache or it won't work."

That's wrong because you've arbitrarily assumed that the code that you're modifying is already in the instruction cache. Congratulations, you've got several k of temporarily modification-resistant RAM, what about the other 500MB?

FP.

Re:NX and Self Modifying code

[spitzak]

More confusion with DRM.

Yes Windows supports this with a call to indicate that NX should be turned off on allocated pages. They added this because they wanted Windows to work on non-Intel processors at one time. Linux has a similar ability or it would be impossible to make exec work on such processors. The problem is that apparently programs don't bother calling this when they want memory for code because it is not necessary on Intel.

For compatabilty with such programs it will probably be necessary to have a mode where NX is off on all allocations, rather than on. This will not need any root permissions if it is per-process, if a malicious program can make this call it can already do lots of other nasty things.

Re:NX and Self Modifying code

[Branka96]

Here is a quote from the PowerPC 601 Microprocessor manual (Chapter 4, Cache and Memory Unit Operation): "The PowerPC 601 microprocessor contains a 32-Kbyte, eight-way set associative, unified (instruction and data) cache." And yes, the 601 has an instruction for flushing the unified cache (dcbi).

Re:NX and Self Modifying code

[Animats]

That's from the overview document. Check the detailed specs in PowerPC Architecture Book - Book II: PowerPC Virtual Environment Architecture. From section 1.5:

• A cache model in which there is one cache for instructions and another cache for data is called a "Harvard-style" cache. This is the model assumed by the PowerPC Architecture, e.g., in the descriptions of the Cache Management instructions in Section 3.2, "Cache Management Instructions" on page 16. Alternative cache models may be implemented (e.g., a "combined cache" model, in which a single cache is used for both instructions and data, or a model in which there are several levels of caches), but they support the programming model implied by a Harvard-style cache. The processor is not required to maintain copies of storage locations in the instruction cache consistent with modifications to those storage locations (e.g., modifications caused by Store instructions).

That's the point here. The PowerPC does not guarantee that self-modifying code will work. There's a long discussion of how to do self-modifying code in section 1.8.1 of the architecture manual. This is mainly for debugger support.

Given this instruction/data separation, it's not surprising that the PowerPC architecture defines a no-execute bit (it's bit 61 of each page table entry). Unfortunately, not all PowerPC models implement it.

This is very important

[TheMadPenguin]

Considering the current Linux architecture, I really don't see a problem with what's proposed... especially if the chances of breaking things are almost nill. Doesn't seem a far stretch due to the way things currently run in Linux anyway. Developers can work around any problems that may arise anyway. This will help to ensure that Linux remains one of the most promising operating systems available, and even moreso than it is already.

I saw mention in the linked article that Microsoft plans NX support in their SP2 release for Windows XP, but seriously... I don't see this as either happening in the first place, or having the potential to really screw things up. Won't this break a huge amount of applications? Think about it, the Windows platform is notorious for allowing programs to execute whatever code they like... even going so far as to say that some rely on that ability. Any thoughts on this?? I just don't see it happening with the current architecture, that's all.

Re:This is very important

[Maul]

Those running around with the Release Candidates for XP2 on 64 bit processors are reporting that the "NX" feature is causing problems with many applications.

Re:This is very important

[TheMadPenguin]

heheh doesn't it figure. :) With Microsoft being all about security these days, they can't even apply technology such as this without breaking their system. Its all about design!

PaX

[XNormal]

The PaX patch effectively implements this feature on older x86 processors that don't have hardware NX support. It takes advantage of the fact that data and code have separate page table caches.

It comes with a pretty high performance overhead, though. A page fault will occur for any miss of the TLB cache while normally they are just loaded from the page table in main memory.

Re:PaX

it doesn't have a big impact anymore, check out the 2.6.6 patches, PAGEEXEC has something like 2-3% of impact on a kernel compilation (vs. 30-40% before). also the segmentation based approach is pretty much 0% overhead on most workloads.

What about C++ vtables?

[SalsaDot]

How does this affect C++ compilers that generate vtables of class function pointers? Does that mean we'll all need new compilers (or updated run time libraries), not just an API call that we'd only use if our code actually needs to execute from mallocated memory?

Re:What about C++ vtables?

Pointers != code

Re:What about C++ vtables?

[SalsaDot]

Yep true. I know one compiler that used "thunks" (small sections of runtime generated code) to make multiple inheritance as efficient as single inheritance code (the Zortech C++ compiler). Probably what I was thinking of.

Can someone explain...

[RAMMS+EIN]

Why do we need a per-page NX bit if the write and execute permissions are already set for the segment?

Even on the 286 (running in protected mode), code segments are executable, but cannot be writeable, and non-code segments can be writeable, but not executable. I think that's basically what you want - non-executable data, and non-modifiable code (of course, the code needs to be written to memory once, but you can make it non-writeable before starting execution).

So how come we also need an NX bit on pages (knowing that pages can only be accessed if there is a segment that references them)? Do our operating simply ignore the security that the segment permissions provide, and if yes, why? Why is per-page control so much better than per-segment control?

Re:Can someone explain...

Why do we need a per-page NX bit if the write and execute permissions are already set for the segment?

Because modern operating systems don't use segmentation. So we need an execute bit in the page tables. The bit we already have is in the segment descriptors.

Re:Can someone explain...

[Ernest]

Because most OS use flat memory model where the whole address space is one segment. This would then include both execute code and data.

Re:Can someone explain...

[RAMMS+EIN]

``Because most OS use flat memory model where the whole address space is one segment. This would then include both execute code and data.''

Well, yes, that's what they would use if the x86 let them. As it is, a segment is either code (and thus executable, but not writeable), or data (not executable). This means that they must use different descriptors, and hence different selectors for each. From there, it seems a small step to have the segments not overlap, thereby disabling applications from writing to their code segment. Not doing this seems like ignoring a perfectly good security mechanism.

Re:Can someone explain...

[spitzak]

Yes but all pages already have a "writable" bit. Why couldn't Intel make the processer reuse this bit as the "no execute" bit? That is what the original poster was asking.

Re:Can someone explain...

My God, you're right! I can't believe Alan, Linus, Rusty and co ignored this for so long! They must be incompetent or evil for "ignoring a perfectly good security mechanism.". Lucky someone on slashdot saw through their ruse!

Stop the MS-Bashing

[Alexis+de+Torquemada]

Windows has supported that for years. Why just yesterday it stoped executing for no particular reason.

I'm writing this on Windows XP, and it never justs stops ex

Stop 0x0000001e (c000009a 80123f36 02000000 00000246)
Unhandled Kernel exception c000009a from 8123f26
Address has base at 80100000 ntoskrnl.exe

This is just a marketing gimmick

Grsecurity/PAX users have had this on ALL the platforms for couple years already.

Grsecurity/pax has had a few hundred more security enhanchement improvements over the stuff the articles now here are talking about. So what's the fuzz? Hah.

Btw, the development of Grsecurity (which is the best [most secure, most effective, easiest] way to make Linux platform secure) stopped already and the project will officially die tomorrow due the lack of sponsors.

Re:PaX grsec

Grsecurity is ending... we need to find a new maintainer for it:

5/31/04 Important Announcement Regarding the grsecurity Project Beginning today, May 31, 2004, development of grsecurity will cease. On June 7, the website, forums, mailing list, and CVS will be shut down. Due to a sponsor unexpectedly dropping sponsorship of grsecurity while continually promising payment, I began the summer in debt and had to borrow money from family to pay for food. If none of the companies that depend on grsecurity, some of them being very large, are able to sponsor the project, grsecurity will cease to exist. Though grsecurity is licensed under the GPL, I am the sole developer and originator of ideas for the project. Though it would be possible for others to handle maintenance of the project, the quality won't be held to the same standards and will not progress with the same goals I have set for the project. I am not looking for help with hosting, as the hosting for grsecurity has been provided for free for over a year and a half and will continue to be provided unless the project has to end. I am also not looking for paypal donations at this point, unless those that donate do so with the recognition that despite their donation, grsecurity may still never be returning. If your company wishes to sponsor grsecurity, please contact me at spender@grsecurity.net. To continue to the website (until June 7th), click here.

I've been modded down!

[The+MESMERIC]

You people are so mean!
That is it from now I - I ain't playing no more :(

Got to lurve my new sig tho!

No, NX will prevent Java from running

by design.

Say goodbye to insecure and slow programs - and say hello to fast and secure languages!

Re:No, NX will prevent Java from running

So, what fast and secure language would that be? C and C++ still won't be secure.

You are confused about what this does

[spitzak]

This is not DRM and does nothing to stop downloaded code from running.

The NX bit is used to mark parts of memory of a running program. Certainly it will mark anything allocated from the heap, such as the memory used to store a piece of data downloaded from the net, and then written to the disk. However it does not have any magic "sticky" property that stays with the data. If the downloading program thinks that data is a program that should be run, rest assurred that it will have the capability of saving it on disk, turning on the execute file bit (on Linux), and exec'ing it, with no changes to the code from today.

Even today without the NX bit, I really doubt any program actually and deliberatly downloads blocks of data from the net and then jumps to it. What NX does is prevent that from happening due to a malicious program that somehow gets some data into memory including a jmp instruction to that data. This is possible today by overwriting the stack so the return address and malicious code is there.

The VAX had NX, this is not new technology. I'm assumming NX was not added for so long was that there was that there was no room to add a bit to do it to the page description. Though I don't understand why Intel didn't just make a mode where write-permission==NX so you cannot execute any page you can write to.

How about the DRM bit?

[nurb432]

When is that to be integrated into the CPU, and supported by all OS's?

Just so know when to stop buying hardware and horde older equipment that isnt crippled.....

Re:Just don't add "Halt and Catch Fire" Instructio

IIRC, certain DSP processor really had an assembly instruction called HAB - Halt And Burn. Or something similar.

What it did was it somehow shorted the address pins of the DSP so that the IO pin output buffers heated from all the current flowing through them, and eventually they melted.. Making the DSP effectively not working.

Propably useful in military applications.

The NX bit is good, but a better design exists:

[master_p]

The IA32 CPU architecture defines 4 protection rings, with ring 0 being the most privileged and ring 3 being the less privileged. This type of protection is not used in modern operating systems, though, because this protection involves segmentation. What is used is the page descriptor's R/W bits and the user/supervisor bit.

Instead of having R/W or user/supervisor bits, the page descriptor could have separate ring information for each type of access( write/read/execute), as well the ring level of the page. 8 bits would be needed for such a protection mechanism (2 bits per access type).

For example, the IA32 page descriptor could have the following format:

Proposed page descriptor format:

bit 0: page present/swapped
bit 1: page written
bit 2: page read
bits 4-5: current ring
bits 6-7: max ring allowed to read
bits 8-9: max ring allowed to write
bits 10-11: max ring allowed to execute
bits 12-31: page frame

The CPU would produce a protection fault if

current ring > access type ring.

The above elegant solution solves some foundamental problems of the operating systems:

a) prevent execution of code "hidden" in data (this is what the NX bit does)

b) easy transition from ring 3 to ring 0 (or from any higher to lower ring) and vice versa without any special instructions, without interrupts, without reading from GDT or LDT tables: code in a page with current ring = 3 could execute code with execute ring = 3, but the executed code would be kernel code, since it would have current ring = 0.

c) separation between kernel, drivers, libraries and applications: the kernel would be at ring 0, drivers at ring 1, libraries at ring 2, and applications at ring 3. No badly written piece of code (driver, library, application) could ruin the kernel.

To further enchance security, the first instruction after a jump/call should be a special instruction which does not do anything, other than allow code to be executed. This solution would make impossible for wild pointers to execute code.

The above security scheme is very flexible and does not compromise flat 32-bit addressing.

(I hope some hardware engineer from Intel/AMD reads this. I would be happy to explain it further).

You are teh funny!

I bet you are the life of the party!

All you needed was to use M$ and I would have pissed my pants! I am laughing uncontrollably, honest!

Whats your pickup line?
"hey there, why do all credit card numbers have 5 in them?"

lollol roflroflrofllollol omg omglolroflrofllolomgomgomg lol roflrofl

It's got to be said...

[Larsing]

I, for one, welcome our new NX overlords...

Re:Just don't add "Halt and Catch Fire" Instructio

I bet that was a bugger if you had a memory corruption bug in your code.