Red Hat Introduces NX Software Support For Linux

abertoll writes "In this story at ZDnet, Red Hat has apparently added NX support to Linux. NX security technology is a hardware attempt at stopping malicious code." (We recently posted about Transmeta's announcement that its chips will incorporate the NX bit as well.)

Difference between NX and protected mode bits?

[PiGuy]

What I fail to understand is the difference between this 'no execute' bit and the 'executable' bit in standard 386 protected mode. Does the 'executable' bit not cause an exception if the PC proceeds to pages without it set? Even then, protected mode also has a 'read-only' bit - isn't this set for code pages? And if not, why not?

Re:Difference between NX and protected mode bits?

[AKAImBatman]

People, do yourselves a favor and read the Intel specs. Please? There is in fact, a bit for defining code segments. These code segments can be marked as read only or execute only. The problem (as I managed to wrangle out of people the LAST time this thing was posted) is that a data block can also be executed without exception. The NX flag merely prevents data blocks from ever executing code.

Re:Difference between NX and protected mode bits?

[awkScooby]

People, do yourselves a favor and read the Intel specs. Please? There is in fact, a bit for defining code segments.

Linux, Windows, BSD, etc. don't use segments, but instead use paging. Intel has dragged their feet on adding NX support because the feature "already exists", but the reality is that hardly anyone uses segments.

Ok, technically everyone uses segments -- they just create a single segment which covers all of the memory space. The GDT (Global Descriptor Table) must be configured when you switch to protected mode. Paging is optional.

The NX flag prevents a page (typically 4k) from executing. By marking all stack pages as NX, buffer overflow attacks won't be able to remotely execute arbitrary code. I assume that an exception will be generated when an attempt is made to execute from an NX page, which will probably cause the running program to halt. So, remote explots turn into DOS attacks.

Buffer overflow attacks have been known about for decades, and solutions such as NX have been known for quite some time too. As has been mentioned elsewhere on /., this does not remove the responsibility of developers to write good, secure code. But, as history has shown, they will probably continue with the long standing practice of writing insecure code.

NX will prevent buffer overflow attacks. NX will not be able to determine whether a program you choose to execute is good or evil. Viruses existed and managed to propogate back in the days before the Internet or even networking were in common use. NX won't solve all security problems, but it is a good tool to help reduce the possibility of remote exploits.

The NX flag isn't new, it's just new to the x86 world. Kudos to AMD for being the first to add this to the x86!

Re:Difference between NX and protected mode bits?

[fatphil]

As a long time happy linux user, but also a kernel author (not x86 though, C80), I can't share your positive attitude towards linux on this issue.

Linus sloppily decided to avoid _almost all_ of the protection mechanisms that the 386 makes available to the system. That's why you can smash the stack for fun and profit. He chose to let CS access the same pages as DS (and SS,ES,FS,GS), whe he could have allocated some linear addresses as code-only, and others as data-only. After that you simply need to ensure that no CS ever was given access outside the executable range, and no other segment was given access in the executabe range.
And you can ensure this - as you, the kernel, are entirely in charge of setting up user-space descriptors.

To do so would have added a bit more complexity to the memory management (with lower case letters) part of the kernel, but would have prevented all smash stacking and heap smashing attacks.

Linux is not _technically_ as good OS at all. It's simply _practically_ (for people like me) a good OS.

Tannenbaum is still right. (And when Tannenbaum says "run 20% slower" he means "take up 0.6% of the CPU rather than 0.5% of it, thus giving apps 99.4% of the cpu rather than 99.5%. But that's another rant.)

FP.

NX Virus....yay

[celeritas_2]

I personally can't wiat until some great evil makes a virus harnising NX to say.....block the execution of MSIE .....widespread luser panic is always fun

The NX Bit...

[zoloto]

And I always wanted processor support for the Evil Bit. Dang.

no execute support new? Nonsense !

[Timber_Z]

Windows has supported that for years.

Why just yesterday it stoped executing for no particular reason.

Re:no execute support new? Nonsense !

[sirsnork]

For the record. Only AMD64 based CPU's currently have support for this on x86. Intel and Transmeta's next generation chips will also support it. No previous CPU's will.

Per-segment vs. per-page

[tepples]

Standard 386 protected mode controls per segment, where CS (code segment) is executable and DS (data segment) is writable. However, many 32-bit operating systems use a so-called "tiny" memory model, setting CS = DS, and the 386 allows for turning off read and write privileges per page but not execute privileges (if you can read a page in an executable segment, you can execute from it).

However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.

Re:Per-segment vs. per-page

[forkazoo]

However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.

data char* temp = new data char[len];
executable char* code = new executable char[len];
int function() = code;

compile(javasrc, temp);
copy(temp, code);
function();

From what I've heard, allocations will default to non-executable, but there will be some sort of API that allows executable space to be allocated on every OS that deals with NX bits. You will probably also see WinXP and the like with the ability to "Run this program in compatibility mode..." until the developer updates to deal with the tweaks made in the updates.

Re:Per-segment vs. per-page

[tepples]

compile(javasrc, temp);
copy(temp, code);
function();

And watch as NX::copy() has a huge overhead from going into kernel space and back.

Re:diff?

[sploo22]

Did you even look at it?

$ wc -l nx-2.6.7-rc2-bk2-AE
518 nx-2.6.7-rc2-bk2-AE

It's smaller than most, but still not exactly trivial.

There you go

... all those fellow /.'ers who cried out loud "we don't want no DRM" when they first read the titles of the stories about NX support in upcoming procs, without even bothering to understand WTH NX is for, and kept and kept writing idiotic comments about how evil Windows must be because it now supports NX (which they seriously thought was some form of ah-so-evil DRM feature)

See, NX is a good thing, now even Linux has support for it :) I am happy that you will now have an opportunity to open your minds to this fine new technology.

Cheers.

Just don't add "Halt and Catch Fire" Instruction

[xmas2003]

I just hope that with all the overclockers out there, they don't add support for the Halt and Catch Fire Instruction ;-)

Seriousely, the NX stuff is a "good" thing to add to slow down malicious code - the only thing better would be a HULK Instruction which would SMASH Puny Human malicious code ... ;-)

A cross between...

[3)+profit!!!]

This "NX" stuff to separate data and instructions is sort of like crossing current CPUs' Von Neumann architecture with a Harvard architecture type of chip, where the storage is actually separate from the executable code.

Fine No Execute

[oldstrat]

This is all well and good, but is certainlly not a panacia.
No execute means that somewhere, somehow there will be an override and the day the override is used the virus' will follow by tricking (and explaining how) to the user why this is needed and bingo, it's in.

And of course I could be completely wrong in that this no execute bit does not exist on older processors and that in itself is going to cause problems. Intel has xbit on newer processors, but what about AMD, VIA, whoever else? Is this part of the Intel half of the WinTel duopoly?

I think it's probably a good idea, but I'm suspicious.

Re:Fine No Execute

[explorer]

Right, all AMD K8-class processors have the NX-bit already. And despite the Intel-centric spin on the ZDNet article, the fact is that Intel has only announced that support for it is coming in future Intel parts. Unlike AMD, it doesn't appear you can buy any CPUs from Intel that support the NX bit today.

In other words, Intel is playing catch-up.

And note the comment in Ingo's linux-kernel posting that refers to the "existing NX support in the 64-bit x86_64 kernels ... written by Andi Kleen". I.e. NX-bit support was already available to AMD64 owners running 64-bit linux kernels.

Re:Fine No Execute

[0racle]

NX is not a new thing, and neither Intel or AMD did it first. SPARC's, UltraSPARC's and Alpha's have had this for some time, and it wouldn't surprise me if its in the Power chips as well.

As far as it not being on older processors, I assume you mean older ia32's, and surprisingly this was brought up in a MS TechNet event I was at on Thursday. I don't know all the details, but he presenter said it was in older chips, at least back to the original Pentium if I remember, but with the way ia32 chips do paging, it was never implemented in the OS's until recently, which i can only assume the Athalon64, Opeteron and Itanium do this differently, but don't quote me on that.

Personally, I'm just wondering exactly what ia32 chips will Linux and OpenBSD use NX on.

Re:Fine No Execute

[kasperd]

somehow there will be an override and the day the override is used the virus

First of all you shouldn't expect the NX bit to do any good against a virus. A worm OTOH might be stoped by the NX bit. OK I'll assume you mean the worm would use a way to override it. If it could be disabled per executable like execshield on Linux, you could only exploit vulnurable programs with the security feature disabled. So if the vulnurable service is running with the security feature enabled, you cannot disable it, unless you already control the machine. So it doesn't help a worm gaining control.

What are the chances the vulnurable service would run with this security feature disabled? Not large, because you would only disable it, if the service didn't work otherwise. And the number of programs breaking in case of Linux is not large. Fedora Core 1 has exec shield which does a best effort at implementing this without specific hardware support. Arjan van de Ven explains that hardly any program broke. Ingo Molnar explains in a bit more detail, that the X module loader was the only program breaking. (Some other programs broke for other reasons). So when it is only one program breaking, you fix it, rather than starging to disable this security feature.

However as Linus has explained, there are ways to exploit a vulnurable service in spite of NX. This specific attack relies on using /bin/sh, which means it wouldn't work against Windows. But anybody who knows as much about Windows as Linus knows about Linux would surely be able to come up with a similar attack against a Windows service. For example there is probably a function you can call to change the protection bits on a memory range. So you first fill code in the buffer, which cannot be executed at the moment, the return address you overwrite with a pointer to this function call, and you provide it parameters specifying to make the buffer executable. The return address from the function call then just needs to point to the buffer.

Re:Fine No Execute

[IamTheRealMike]

Personally, I'm just wondering exactly what ia32 chips will Linux and OpenBSD use NX on.

New ones. People will buy them because they want "Enhanced Virus Protection".

In the case of older chips: well, that is what exec-shield is for.

Comment removed

[account_deleted]

Comment removed based on user account deletion

calling it a "technology"...

[dekeji]

Calling it a "technology" I suppose detracts from the fact that the lack of an executable bit in x86 page tables is a deficiency. You see, this "feature" has been around since, oh, the middle of the last century, and many processors other than x86 have supported it without even considering it worth mentioning.

AMD once again taking the lead.

[l0ungeb0y]

"AMD's Athlon 64 and Opteron processors have had NX since their debut, though the extra bit won't do anything on a Windows XP system until you obtain and install Service Pack 2. Intel is expected to add NX (or XD) to the next generation of its 90-nanometer-process Pentium 4 "Prescott" CPUs -- bundling the security enhancement with a larger 2MB Level 2 cache and perhaps a faster 1066MHz front-side bus -- in the fourth quarter of this year."

This year has truly been AMD's year to guide the microprocessor market. Remember not so far back when everything AMD did was a response to Intel? This year it's been Intel responding to AMD. I hope this trend continues as it shows that the so-called WIntel stranglehold is starting to crack and that it is possible for the competition to assume a leading role in the market. Now hopefully, IBM has something in the works for it's PPC/Power lines, as they've been working closely with AMD and this processor feature is something that every networked system could use.

Kernel 2.6.6 included a x86_64 NX patch

This new patch is to support NX in 32-bit processors or 64-bit processors running in 32-bit mode.

The 2.6.6 kernel already included an NX patch for x86_64. Details are in the "Non-Exec stack patches" LKML thread here.

Here you go...

[SoSueMe]

Some legitimate programs, such as Java compilers that perform just-in-time code generation, execute instructions within data areas -- and will have to be rewritten for Service Pack 2. But the most common exploiters of x86 architecture's porous program and data boundaries are applications (called, as a matter of fact, exploits) that perform buffer overrun attacks -- one-two punches that first flood a program's input area with more data than it's designed to handle, then deliver a poisonous executable payload. ..........

Software developers will be able to selectively disable execution protection for 32-bit applications, using a DisableNX fix in SP2's compatibility toolkit, and end users will be able to switch the feature on and off for the entire system or for individual applications (like those Java compilers) via a new Control Panel dialog box, similar to those for SP2's beefed-up firewall .

Re:Here you go...

[m_pll]

Some legitimate programs, such as Java compilers that perform just-in-time code generation, execute instructions within data areas -- and will have to be rewritten for Service Pack 2.

Of course, if those programs were written correctly in the first place they wouldn't need to be fixed to work on NX platforms.

Win32 has always had PAGE_EXECUTE flag, and if you wanted to execute dynamically generated code you were supposed to include this flag when allocating memory (or use VirtualProtect afterwards).

Most people didn't bother with PAGE_EXECUTE because it wasn't enforced on x86. But technically it's always been required.

NX, Impressive! The processor has learned well!

[doublebackslash]

Now it is time for you, young grsshopper, to learn as well.
translation:
Malicious code executing itself via a buffer overflow is actually one of the lesser evils in the virus world. Most users will gladly allow anything to run on their box, especially if it does something cool (time, weather, cutesy things, etc), and with everyone being root on Windows boxes, this means the program can do whatever the hell it wants and windows won't say anything/much.
The NX bit is great, especially for servers where generally the only kind of attack is a buffer overflow. Like I said the procesor has learned well, but the users must learn also.

definitely helpful but no silver bullet

[The_Bagman]

This is basically an "execute / no-execute" bit in the page-table entries. It means the OS can mark portions of an application's virtual address space as non-executable - such as pages in the heap or the stack. It'll help against buffer-overflow attacks that put new assembly code in the stack and return into it. It won't help against buffer-overflow attacks that return into existing code (e.g., to do a system call). It won't help against worms that take advantage of meta-character expansion vulnerabilities. It won't help against scripting flaws (such as javascript, active-x, or visual-basic/outlook vulnerabilities). It won't help against weaknesses in the OS itself.

Think of this as raising the bar. Of course, the "clever" attackers will still find flaws, and still write code for the script kiddies to use to exploit them.

Exciting news...

[rice_burners_suck]

I'm glad support for this is finding its way into Linux. I think OpenBSD has had this for a while now, as part of ProPolice... I'm not sure about that though.

From what I've read, it certainly makes sense to break a few apps for this functionality, as you can always run them in a build without it. Things should be a lot safer, as crap like buffer overruns from carefully formatted input strings can no longer contain executable code.

I think this should be available for individual programs to set the NX bit on memory pages that should only contain data, so, for example, when you download a file, it is impossible to execute it (say, while in memory) until you save it and explicitely set the execute bit. In other words, there is a completely non-executable path for all untrusted code from its inception until the user explicitly makes it run. Now, when some Joe Luser clicks an email attachment virus made for Linux, if this ever happens, it will be very difficult for him to make it run, and hence, it won't. Add to that the protections inherent in all Linux systems (multiuser permissions, heterogeneous configurations, etc.), and it's very unlikely that Linux users will experience the kind of crap that Windows users have to put up with on a daily basis, even if Linux somehow gains a huge market share on the desktop.

These are exciting times.

Re:NX and Self Modifying code

[Animats]

Modern x86 CPUs go to incredible lengths to support self-modifying code. PowerPCs, by comparison, don't support it at all; they have separate instruction and data caches. If you modify code in a PowerPC, you have to flush the instruction cache or it won't work. There are system calls for this under the MacOS. And nobody notices. In fact, the PPC 601 didn't even have the instruction cache flush instruction. For some years, Linux for PPCs had to flush the cache by preventing interrupts and loading a big block of junk data to invalidate the entire data cache. About the only time this is done is during fork/exec sequences.

There's some history of self-modifying code from the 16-bit DOS world, but it's probably time to kill that off.

It's been a long time since self-modifying code improved performance. Today, self-modifying code on an x86 machine works something like this.

• The processor is going along, fetching ahead perhaps ten instructions, and executing as many as possible simulataneously. Ten to twenty instructions may be in the pipelines. The retirement unit is running ten to twenty cycles behind the execution units, committing results back into cached memory and registers once all possibility of trouble has passed.
• Trouble usually comes in the form of mispredicted branches, which are handled reasonably efficiently using cached bits that record which way the branch went the last few times. Less common is an exception, like a floating point overflow, which looks like a forced branch. Least common is a modified instruction.
• The superscalar x86 machines (Pentium Pro/2/3/4 and later) check for modified instructions. Storing into an instruction immediately ahead will be handled properly. People on the Pentium Pro team sweat blood over making this work right. And it does work. But not rapidly. The retirement unit views the instruction as an "operand" for collision detection purposes, so a change to that "operand" invalidates all the results that depend on it.
• The CPU then has to deal with the mess. Retirement stops. Instruction fetching stops. The pipelines are flushed. The functional units are idled. Instruction fetching is backed up to the modified instruction and restarted. The CPU pipelines refill with the new program. After a few tens of cycles have been lost, instruction execution is moving forward again.
• In AMD land, it's even worse. AMD's approach to superscalar CPU design involves expanding instructions into a RISC-like fixed length form at cache load time. Storing into an instruction not only requires flushing the CPU, but the whole block of instructions has to be reparsed.

So, in general, self-modifying code is not going to help performance. Generating blocks of code and then making them executable is fine, but changing code you're about to execute went out with "ALTER paragraph-name TO PROCEED THROUGH paragraph-name" in COBOL.

Re:NX and Self Modifying code

[Alan+Cox]

Under Linux at least you can ask for executable mapped pages. This is what the fixed X loader does for x86 now. Most non x86 processors have execute bits on page table entries and POSIX/SuSv2 therefore have a MAP_EXEC bit in mmap so you can say "I want to run this"