Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD's Kernel Gets W^X Treatment On Amd64

Posted by Soulskill on from the write-stuff dept.

New submitter brynet tips this news from Theo de Raadt: Over the last two months Mike Larkin (mlarkin@) modified the amd64 kernel to follow the W^X principles. It started as a humble exercise to fix the .rodata segment, and kind of went crazy. As a result, no part of the kernel address space is writeable and executable simultaneously. At least that is the idea, modulo mistakes. Final attention to detail (which some of you experienced in buggy drafts in snapshots) was to make the MP and ACPI trampolines follow W^X, furthermore they are unmapped when not required. Final picture is many architectures were improved, but amd64 and sparc64 look the best due to MMU features available to service the W^X model. The entire safety model is also improved by a limited form of kernel ASLR (the code segment does not move around yet, but data and page table ASLR is fairly good."

84 comments

  1. most of you will pretend you understand by Anonymous Coward · · Score: 1

    My guess is 80% of you will get about 20% of what this email is saying, but you'll post on here like you know it all.
    Search your feelings, you know it to be true. /reflections of myself about 15 years ago. //Modulo mistakes... cute

    1. Re:most of you will pretend you understand by drinkypoo · · Score: 4, Funny

      Actually, I was just thinking that this was a relatively penetrable summary. It tells me so much, I don't even need to R TFA.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:most of you will pretend you understand by mwvdlee · · Score: 5, Insightful

      The summary could use a bit of translation, instead of merely copying content off a maillist post intended for a very specific group of kernel specialists using slang terminology.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:most of you will pretend you understand by Anonymous Coward · · Score: 3, Informative

      Once you grok that W^X means Write XOR Execute (which you can gather from the rest of the summary), it gets easier.

    4. Re:most of you will pretend you understand by Anonymous Coward · · Score: 3, Informative

      Once you grok that W^X means Write XOR Execute (which you can gather from the rest of the summary), it gets easier.

      I thought that meant they added all wheel drive and turbos.

    5. Re:most of you will pretend you understand by fisted · · Score: 1, Offtopic

      MI and MD (in all likelihood, haven't verified) mean Machine-Independent/Machine-Dependent in BSDspeak

      --
      CLI paste? paste.pr0.tips!
    6. Re:most of you will pretend you understand by Anonymous Coward · · Score: 1

      The fact that the OP did NOT define 'W^X' was what hooked me in the first place!

      Yeah, Journalism 101 conventions were not followed but anyone with an IQ above room temp could derive the meaning in a cursory read.

    7. Re:most of you will pretend you understand by Z00L00K · · Score: 4, Insightful

      If you have a need to get something translated maybe it's worth to look it up.

      Everyone is so used to get everything served on a plate these days that when the need arises they are completely lost in how to dig for information.

      I see this as a nice teaser that isn't dumbed-down.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    8. Re:most of you will pretend you understand by Anonymous Coward · · Score: 4, Funny

      My guess is 80% of you will get about 20% of what this email is saying, but you'll post on here like you know it all.
      Search your feelings, you know it to be true. /reflections of myself about 15 years ago. //Modulo mistakes... cute

      20% is still more than Theo De Raadt wanted anyone else to understand. So, I call it a win.

    9. Re:most of you will pretend you understand by mwvdlee · · Score: 1, Insightful

      How do I translate "trampoline" without reading the entire freakin' maillist history?
      This is slang and you won't find the intended meaning it in a dictionary.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    10. Re:most of you will pretend you understand by Anonymous Coward · · Score: 5, Insightful

      I don't know, it's not like there is some sort of free services out there that could help you find the explanation without parsing the whole list.

      https://en.wikipedia.org/wiki/Trampoline_%28computing%29

    11. Re:most of you will pretend you understand by red_dragon · · Score: 3, Informative

      I doubt that the mailing list will show any definition of "trampoline". That word has a specific meaning in kernel programming, such that one would already have a good understanding of the subject before poking around in kernel code.

      FWIW, "trampoline" refers to generated bits of code containing jumps to arbitrarily different pieces of code, something that ESR called "an incredibly hairy technique" in the Jargon File.

      --
      In Soviet Russia, Jesus asks: "What Would You Do?"
    12. Re:most of you will pretend you understand by Lunix+Nutcase · · Score: 0

      Especially when W^X had a link to a definition.

    13. Re:most of you will pretend you understand by Anonymous Coward · · Score: 0, Informative

      The fact that the OP did NOT define 'W^X' was what hooked me in the first place!

      They did, but it wasn't super obvious that that's what they were doing:

      no part of the kernel address space is writeable and executable simultaneously

      W -> Writeable
      ^ -> Exclusive OR
      X -> Executable

    14. Re:most of you will pretend you understand by Lunix+Nutcase · · Score: 0

      What was not obvious? It's clear there is an anchor tag for W^X which when hovered over shows a wiki article. Seems pretty obvious that was a link to explain what W^X meant for those who didn't already know.

    15. Re:most of you will pretend you understand by mrchaotica · · Score: 3, Interesting

      Next, some noob is going to ask what "ESR," "hairy" and "jargon file" are. And then somebody else won't know what "noob" means. It's the Eternal September all over again (said the guy with the six-digit ID to the guy with the four-digit one)...

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    16. Re: most of you will pretend you understand by Anonymous Coward · · Score: 1

      And that's why you've seen a dearth of new contributors in the past decade, systemd exodus notwithstanding.

    17. Re:most of you will pretend you understand by K.+S.+Kyosuke · · Score: 0

      That word has a specific meaning in kernel programming, such that one would already have a good understanding of the subject before poking around in kernel code.

      One that is very different from the understanding of what a trampoline is for programmers in certain languages... Which kind of confused me.

      --
      Ezekiel 23:20
    18. Re:most of you will pretend you understand by RabidReindeer · · Score: 1

      We live in a complex and rapidly-changing world. It's never a bad idea to push a little knowledge up front. Unless you're actively working with something complex, even if you do know something about it, that knowledge may be outdated and erroneous.

      I wasn't aware of W^X as a discipline. I don't have the need or the time to study it in detail. But the succinct description of what it is and what it's good for informs me that there's something out there that I might want to take advantage of someday and if I should happen to RTFA, at least I'll have a clue what it's all about.

    19. Re:most of you will pretend you understand by UnderCoverPenguin · · Score: 1

      But, really, it should be: !w || !x so that read-only, no-execute access is also valid.

      Truth Table for this expression:


        X | F | T
      _W__|___|___
      _F__|_T_|_T_
      _T__|_T_|_F_

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    20. Re:most of you will pretend you understand by LWATCDR · · Score: 1

      News for Nerds.
      That pretty much rules out any summary as being too technical.
      I actually found the summary to be one of the better ones I have seen on Slashdot.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    21. Re:most of you will pretend you understand by Darinbob · · Score: 4, Insightful

      Mmm, it made sense to me, but then I work at low levels of code. I do find it somewhat strange though that the criticism is basically that it's too nerdy. I'm quite happy to see more nerd postings and fewer Dice fluff. Stories that go over the heads of the masses is what Slashdot should be about.

      This is nothing new, there have been articles with absolutely impenetrable jargon and ideas before when discussing high level web oriented stuff or scripting, but since so many readers these days work in such areas that they don't complain. So I have to look up what jquery is, it's not a problem, so others who call themselves nerds should be content to look up with W^X means.

    22. Re:most of you will pretend you understand by Darinbob · · Score: 1

      Trampoline can mean many things. Often it's used to switch some context in between function calls, so in a sense a system call can be seen as a trampoline between the application and the kernel,

    23. Re:most of you will pretend you understand by Darinbob · · Score: 1

      Hmm, haven't kept up on Linux, but on most embedded systems I've worked with the read-only data is lumped together in the text (executable) section.

    24. Re:most of you will pretend you understand by Anonymous Coward · · Score: 0

      I'm mostly impressed you could avoid having your truth table column read W T F.

    25. Re:most of you will pretend you understand by Anonymous Coward · · Score: 0

      And you probably think the post is about you.

    26. Re:most of you will pretend you understand by Carewolf · · Score: 1

      But, really, it should be: !w || !x so that read-only, no-execute access is also valid.

      Truth Table for this expression:

        X | F | T
      _W__|___|___
      _F__|_T_|_T_
      _T__|_T_|_F_

      So NAND really and not XOR?

    27. Re: most of you will pretend you understand by Anonymous Coward · · Score: 0

      The onus for clarity is on the writer, not the reader. The one writer should spend the extra three minutes defining the jargon to save the thousands of readers the 30 seconds each the time required to search for a definition.

    28. Re:most of you will pretend you understand by Anonymous Coward · · Score: 0

      It's the Eternal September all over again

      The what?

    29. Re:most of you will pretend you understand by demonlapin · · Score: 1

      It's the Game of Thrones version of the Garden of Eden. Neckbeards like George R. R. Martin hate it because not enough people die horribly.

    30. Re:most of you will pretend you understand by fuzzywig · · Score: 1
      For me the link was right at the start of a new line and not very noticeable, I didn't see it until after I'd read the article (and googled W^X myself).

      I'm not sure what the post would have lost if they'd included a short explanation ("W^X (memory can be Writeable OR Executable)").

    31. Re:most of you will pretend you understand by fisted · · Score: 1

      I'm at a loss to explain why this has been modded Offtopic. This is a story about a BSD and the term MI/MD appear in TFTheo's email, geez.

      --
      CLI paste? paste.pr0.tips!
  2. Status on other UNIX like kernels by Anonymous Coward · · Score: 1

    Does anyone know what the status is on other UNIX like kernels with respect to this W^X security feature? Is OpenBSD pioneering new ground here?

    1. Re:Status on other UNIX like kernels by Anonymous Coward · · Score: 5, Informative

      According to Wikipedia, which is always right:

      Similar features are available for other operating systems, including the PaX and Exec Shield patches for Linux, and NetBSD 4+'s implementation of PaX.

      W^X

    2. Re:Status on other UNIX like kernels by Nikademus · · Score: 4, Insightful

      Except that only userland benefitted from that till now.
      Now it's even for the kernel, that's the news here.

      --
      I gave up with the idea of an useful sig...
    3. Re:Status on other UNIX like kernels by Anonymous Coward · · Score: 1

      Others have something for userspace such as the PaX and exec shield mentioned by the AC above me. This is for kernel space.

    4. Re:Status on other UNIX like kernels by StikyPad · · Score: 2

      Still of limited value. ROP already bypasses DEP/NX protections, which are required for W^X to be effective. ROP techniques are used to great effect in iPhone jailbreaks.

      These protections may guard against a (very small subset of) casual attackers, but they're just another minor hurdle for determined attackers.

      For a primer, see also: https://en.wikipedia.org/wiki/... (And the rest of the article.)

      The biggest security advantage that BSD has is being such a small target.

      --
      https://www.eff.org/https-everywhere
    5. Re:Status on other UNIX like kernels by Anonymous Coward · · Score: 0

      Windows has supported this since Vista.

    6. Re:Status on other UNIX like kernels by iggymanz · · Score: 2

      with BSD being in everything from printers to elevator controllers (and Apple products), it's not a small target but more of a less visible one to date

    7. Re:Status on other UNIX like kernels by Anonymous Coward · · Score: 0

      Small doesn't mean unimportant. BSD is a high value target because the services it's used for. Linux is dime a dozen.

    8. Re: Status on other UNIX like kernels by ld+a,b · · Score: 1

      True. This was also my first reaction.
      If you read the whole post and speak BSD, however, you'll notice that full kernel-space ASLR is under way as well. So, once again, OpenBSD leads exploit mitigation.

      --
      10 little-endian boys went out to dine, a big-endian carp ate one, and then there were -246.
    9. Re: Status on other UNIX like kernels by StikyPad · · Score: 1

      ASLR is already implemented in Windows (since Vista for libraries, and 7 for kernel, IIRC) and OS X (since 10.5 for libraries, and 10.8 for everything), in iOS since 4.3, Android since 4.0.

      I'll leave it as a judgment call to the reader as to how effective/successful any of those have been.

      --
      https://www.eff.org/https-everywhere
  3. No rant from Theo by frambris · · Score: 4, Funny

    I expected a long rant from TdR. I was disappointed.

    1. Re:No rant from Theo by armanox · · Score: 2

      He doesn't always have a long rant. Actually, the patches I submitted to libreSSL merely got marked approved, no rant attached at all.

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
    2. Re:No rant from Theo by rnws · · Score: 3, Funny

      GNU or Gnome?

    3. Re:No rant from Theo by fahrbot-bot · · Score: 4, Funny

      I expected a long rant from TdR. I was disappointed.

      He had write permission on the email so his rant couldn't execute.

      --
      It must have been something you assimilated. . . .
  4. FreeBSD? by pr0nbot · · Score: 1

    I wasn't aware the BSDs have different kernels. Do OpenBSD kernel changes also end up in the other BSDs?

    (I guess it might not be worth it as I recently saw confirmation that *BSD is dying.)

    1. Re:FreeBSD? by Anonymous Coward · · Score: 2, Informative

      Yes, there is some cross-pollination. In general, while BSDs share a common background, they are different operating systems, not "distros".

    2. Re:FreeBSD? by Lunix+Nutcase · · Score: 2

      Sure, if someone ports it over. They do share features but not all BSD kernels have all the same features.

    3. Re: FreeBSD? by Anonymous Coward · · Score: 0

      BSD is no longer an operating system but a name that a number of similar operating systems use.

  5. Very disturbed by tag "writeorexecute" by sideslash · · Score: 4, Insightful

    C'mon, people, it's writexorexecute, as in "xor" as in "exclusive or". Write or execute is exactly what they're trying to avoid.

    Never bothered learning how to tag stuff or contribute to tags on Slashdot, so just ranting here. Thank you, that is all.

    1. Re:Very disturbed by tag "writeorexecute" by fisted · · Score: 1

      Well, you're right from a formal logic perspective. In spoken languages, though, there's often an implicit 'either' attached to the 'or', causing 'or' to essentially mean 'xor'.

      --
      CLI paste? paste.pr0.tips!
    2. Re:Very disturbed by tag "writeorexecute" by sideslash · · Score: 1

      I think what happened is that while somebody was writing the summary and tags, they accidentally executed it. Happens often around here. ;)

    3. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      That never happend when readers could contribute to the website. Of course, back then we had funnier tags...

    4. Re:Very disturbed by tag "writeorexecute" by caseih · · Score: 1

      "Do you want an apple or an orange? You can only have one or the other." In english "or" does have the connotation you describe. Human brain fuzzy logic I suppose.

    5. Re:Very disturbed by tag "writeorexecute" by sideslash · · Score: 2

      In english "or" does have the connotation you describe.

      I would say it "does sometimes" have that connotation. Addressing an invalid in bed: "Can you sit or stand?" Obviously in order to stand they will first sit up, but we don't know whether they can do both. I'm sticking with my theory that while writing the summary and tags, an editor accidentally executed it, as usual. :)

    6. Re:Very disturbed by tag "writeorexecute" by Em+Adespoton · · Score: 1

      Exclusive Or is called exclusive for a reason. In your example, you indicated exclusivity with "only". Therefore, while "or" CAN have the connotation he describes, it isn't guaranteed. We gather a lot by context. But what if we don't understand the context? That happens all the time.

      I'm very explicit about whether my ors are exclusive or not -- I have to be; I've got children. "Go to bed NOW or you don't get to go to your friend's house tomorrow" is very obviously exclusive to an adult -- but to a kid, they figure they' ve got options. Same goes for if you offer then an apple or an orange -- they'll say "yes" (or "no", depending on their age and disposition).

    7. Re:Very disturbed by tag "writeorexecute" by nsre · · Score: 1

      Also, ^ is used in formal logic to represent a conjunction (i.e., "and"). If "or" were appropriate here, the notation should be WvX (alternatively, W+X). Really I believe the article should use the plus symbol with a circle around it, which is available in unicode but not in Slashdot comments.

    8. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      That seems like a yes or no question to me. If I wanted a precise answer, I'd ask "would you rather have an apple or an orange?"

      But then I've been programming for a long, long time.

    9. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      Except that isn't right either, since you could very well do neither.

      The correct version is !(W&X)

    10. Re:Very disturbed by tag "writeorexecute" by UnderCoverPenguin · · Score: 2

      When C syntax was developed, the designers tried to limit the use of glyphs to those represented in 7-bit ANSI character code, which does not have a codepoint for "circle-plus" nor for a lot of other glyphs used in formal logic and in math.

      --
      Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
    11. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 1

      Except it's not xor, read only segments are allowed. The actual thing thats permitted is write nand execute.

    12. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      Hey dumbass, this article about software. The feature is called write xor execute, not write or execute. The tag is wrong, and you are wrong.

    13. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      Hey dumbass, this article is about software. The feature is called write xor execute, not write or execute. The tag is wrong, and you are wrong.

      Hey r'tard, FTFY.

    14. Re:Very disturbed by tag "writeorexecute" by plcurechax · · Score: 1

      Well, you're right from a formal logic perspective. In spoken languages, though, there's often an implicit 'either' attached to the 'or', causing 'or' to essentially mean 'xor'.

      Yes, everyone should be expected to go read Principia Mathematica before posting to Slashdot, far better than any captcha in use today.

    15. Re:Very disturbed by tag "writeorexecute" by MMC+Monster · · Score: 1

      And that's why we have code, rather than just compiling the comments. ;-)

      --
      Help! I'm a slashdot refugee.
    16. Re:Very disturbed by tag "writeorexecute" by Anonymous Coward · · Score: 0

      Porque no los dos? :D Just kidding.

      Anyway, quit being an asshole. When Joe Sixpack hears the word "or," he thinks the same thing as you think when you hear the word "xor."
      (Hint: If someone offers you A or B, they're not offering you both.)

    17. Re:Very disturbed by tag "writeorexecute" by jrumney · · Score: 1

      Sometimes it depends on context, like a lot of written English, but a big clue is that there is no word 'xor' in the English language, and another clue is that it is common to see 'and/or' written when the author explicitly wants to include the possibility that both options may be true at the same time.

    18. Re:Very disturbed by tag "writeorexecute" by jrumney · · Score: 1

      "Go to bed NOW or you don't get to go to your friend's house tomorrow" is very obviously exclusive to an adult -- but to a kid, they figure they' ve got options.

      I'd say the opposite. The kid is thinking if I go to my bed now, I am definitely going to my friends house, and I can get straight out of bed again, because once I've fulfilled the request the outcome is decided and the threat of not going to my friend's house cannot be pulled out again for another situation. It's the adult that figures the options they are giving are not exclusive, and may very well decide the child is not going to their friend's house even though they went to bed NOW as requested.

  6. would you like pie or cake? both! by Chirs · · Score: 2

    In the english language itself, "or" doesn't necessarily imply "xor". Usually some other mechanism is used to imply exclusivity, either from situational awareness or from context in the surrounding text.

  7. Phys mem access by Anonymous Coward · · Score: 0

    This doesn't do a hell of a lot of good in the kernel since you can also scribble directly to arbitrary physical memory -- including the pages mapped "no write". This is the big difference to userspace programs and tends to defeat the entire mechanism. Doing this makes a few things slightly harder, which is good, I guess.

    1. Re:Phys mem access by Anonymous Coward · · Score: 0

      Not really. As long as you are running in protected mode you can only use virtual addresses. You can map physical addresses to virtual addresses, but then you are still using the underlying hardware for virtual addressing.
      Of course whoever is writing the kernel code can map whatever they want, but that's always the case.

    2. Re:Phys mem access by brynet · · Score: 1

      OpenBSD also has support for SMEP/SMAP on newer Intel processors in addition to NX, which at least makes arbitrarily poking around memory a little more risky.

      http://freshbsd.org/search?pro...
      http://freshbsd.org/search?pro...

    3. Re:Phys mem access by Anonymous Coward · · Score: 0

      OpenBSD on amd64, like most operating systems, has a virtual memory region that maps 100% of physical memory to a range of virtual memory addresses (the "direct map"). So all you need to do is to write to there. In principle, they could have removed the kernel memory page by page from the direct map, but this is usually impractical due to the large page sizes (larger than the kernel) used in the direct map.

  8. Punctuation Nazi by Curunir_wolf · · Score: 1

    The entire safety model is also improved by a limited form of kernel ASLR (the code segment does not move around yet, but data and page table ASLR is fairly good."

    Oh, my - unopened quotation and an unclosed parenthetical! This crap drives me nuts. Don't journalists have to take English classes at all?

    --
    "Somebody has to do something. It's just incredibly pathetic it has to be us."
    --- Jerry Garcia
  9. No, I do not understand by Anonymous Coward · · Score: 0

    I am one of those 80% who do not understand what W^X is --- and I am ready to admit that I do not understand it

    But there is one thing that I would like to know ...
     
    Is there anyone out there thinking of " W^Xifying" Linux?

    1. Re:No, I do not understand by Korgan · · Score: 1

      Sort of. Linux has DEP and a few other features (ASLR and SEHOP for example.) Redhat created ExecShield that can contribute. I don't know if PaX has been merged yet (haven't followed in quiet a while now) but it also does something similar. While not the same, they all provide different answers to the problem.

      Then JIT languages come along and screw everything up. ;-)

        W^X is just one method OpenBSD championed, but it's not an exclusive technology.

  10. Re:Should I be glad or sad... by shoor · · Score: 1

    ...that I did understand all of this. (Maybe it goes with being between the six-digit guy and the four-digit one.)

    --
    In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
  11. It will prevent remote exploits by cachimaster · · Score: 1

    Like this one:

    http://www.coresecurity.com/content/open-bsd-advisorie

  12. OpenBSD Gets Feature It Was Already Known For by Blaskowicz · · Score: 1

    I am impressed that OpenBSD is so righteously conservative they are just getting one of the security feature they are most famous for.

    I hope developers of other systems would follow that example and I can't wait for someone to modify the linux kernel to support USB keyboards, or to modify Xorg to support 1024x768 resolution up from the previous maximum of 640x480.

    1. Re:OpenBSD Gets Feature It Was Already Known For by Anonymous Coward · · Score: 0

      You might want to read it again if you don't understand.

  13. Very disturbed by tag by Anonymous Coward · · Score: 0

    As mentioned earlier, it's really NAND, not OR or XOR :)