login
Search
Ingo Molnar [interview] announced the availablity of support for AMD's NX, or "no execute" bit for the x86 architecture. Originally introduced by AMD with their Athlon 64 and Opteron processors and marketed as Enhanced Virus Protection, Ingo notes that support for this new bit was also announced by Intel, Transmeta and VIA. Ingo explains:
"What does this patch do? The pagetable format of current x86 CPUs does not have an 'execute' bit. This means that even if an application maps a memory area without PROT_EXEC, the CPU will still allow code to be executed in this memory. This property is often abused by exploits when they manage to inject hostile code into this memory, for example via a buffer overflow.
"The NX feature changes this and adds a 'dont execute' bit to the PAE pagetable format. But since the flag defaults to zero (for compatibility reasons), all pages are executable by default and the kernel has to be taught to make use of this bit."
From: Ingo Molnar [email blocked] To: linux-kernel Subject: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Date: Wed, 2 Jun 2004 22:50:25 +0200 we'd like to announce the availability of the following kernel patch: http://redhat.com/~mingo/nx-patches/nx-2.6.7-rc2-bk2-AE which makes use of the 'NX' x86 feature pioneered in AMD64 CPUs and for which support has also been announced by Intel. (other x86 CPU vendors, Transmeta and VIA announced support as well. Windows support for NX has also been announced by Microsoft, for their next service pack.) The NX feature is also being marketed as 'Enhanced Virus Protection'. This patch makes sure Linux has full support for this hardware feature on x86 too. What does this patch do? The pagetable format of current x86 CPUs does not have an 'execute' bit. This means that even if an application maps a memory area without PROT_EXEC, the CPU will still allow code to be executed in this memory. This property is often abused by exploits when they manage to inject hostile code into this memory, for example via a buffer overflow. The NX feature changes this and adds a 'dont execute' bit to the PAE pagetable format. But since the flag defaults to zero (for compatibility reasons), all pages are executable by default and the kernel has to be taught to make use of this bit. If the NX feature is supported by the CPU then the patched kernel turns on NX and it will enforce userspace executability constraints such as a no-exec stack and no-exec mmap and data areas. This means less chance for stack overflows and buffer-overflows to cause exploits. furthermore, the patch also implements 'NX protection' for kernelspace code: only the kernel code and modules are executable - so even kernel-space overflows are harder (in some cases, impossible) to exploit. Here is how kernel code that tries to execute off the stack is stopped: kernel tried to access NX-protected page - exploit attempt? (uid: 500) Unable to handle kernel paging request at virtual address f78d0f40 printing eip: ... The patch is based on a prototype NX patch written for 2.4 by Intel - special thanks go to Suresh Siddha and Jun Nakajima @ Intel. The existing NX support in the 64-bit x86_64 kernels has been written by Andi Kleen and this patch is modeled after his code. Arjan van de Ven has also provided lots of feedback and he has integrated the patch into the Fedora Core 2 kernel. Test rpms are available for download at: http://redhat.com/~arjanv/2.6/RPMS.kernel/ the kernel-2.6.6-1.411 rpms have the NX patch applied. here's a quickstart to recompile the vanilla kernel from source with the NX patch: http://redhat.com/~mingo/nx-patches/QuickStart-NX.txt Ingo
From: Linus Torvalds [email blocked] Subject: Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Date: Wed, 2 Jun 2004 14:13:13 -0700 (PDT) On Wed, 2 Jun 2004, Ingo Molnar wrote: > > If the NX feature is supported by the CPU then the patched kernel turns > on NX and it will enforce userspace executability constraints such as a > no-exec stack and no-exec mmap and data areas. This means less chance > for stack overflows and buffer-overflows to cause exploits. Just out of interest - how many legacy apps are broken by this? I assume it's a non-zero number, but wouldn't mind to be happily surprised. And do we have some way of on a per-process basis say "avoid NX because this old version of Oracle/flash/whatever-binary-thing doesn't run with it"? Linus
From: Arjan van de Ven [email blocked] Subject: Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Date: Wed, 2 Jun 2004 23:17:14 +0200 On Wed, Jun 02, 2004 at 02:13:13PM -0700, Linus Torvalds wrote: > > > On Wed, 2 Jun 2004, Ingo Molnar wrote: > > > > If the NX feature is supported by the CPU then the patched kernel turns > > on NX and it will enforce userspace executability constraints such as a > > no-exec stack and no-exec mmap and data areas. This means less chance > > for stack overflows and buffer-overflows to cause exploits. > > Just out of interest - how many legacy apps are broken by this? I assume > it's a non-zero number, but wouldn't mind to be happily surprised. based on execshield in FC1.. about zero. > > And do we have some way of on a per-process basis say "avoid NX because > this old version of Oracle/flash/whatever-binary-thing doesn't run with > it"? yes those aren't compiled with the PT_GNU_STACK elf flag and run with the stack executable just fine. GCC will also emit a "make the stack executable" flag when it emits code that puts stack trampolines up. That all JustWorks(tm).
Link broken
Just a short note: The link to the archive of the thread is broken...
fixed
Whoops, thanks for pointing that out. It's now fixed.
yes
About time Linux got up to speed against Windows on this feature. Can't wait to see it in the vanila releases.
From the article, Windows doe
From the article, Windows does NOT have this feature yet.
WINDOWS DOES
well will at the end of this month, with the release of Service Pack 2...
RE: WINDOWS DOES
not all windows though... not in w2k!!!
Neither do the 2.4 kernals.
Neither do the 2.4 kernals. Whats your point?
Ehm...
Oh, they DO. And DID. So STFU, please.
Re: Ehm...
If this patch was just released for the 2.6 kernel and is not yet incorporated, how could the 2.4 kernels have it and have had it already? Please explain your random and incomprehensible flaming.
You didn't read the article
"The patch is based on a prototype NX patch written for 2.4 by Intel -
special thanks go to Suresh Siddha and Jun Nakajima @ Intel."
No, it's not incorporated, but it is out there.
funny
I don't think you know what "does" means, and yet you are otherwise able to put a seemingly coherent string of words together. Weird.
Here is today's lesson in English diction 101:
At least one Linux distribution that I know of (probably more) are already shipping with this sort of protection. Windows is not.
You could actually say Linux DOES, Windows DOESN'T and will it please finally catch up to Linux blah blah troll troll.
Study it well, "does" will be on the exam.
re: funny
In regards to your flamebait comment, here is your requested flame:
Grammatical comments are appropriate when the meaning of the statement is obscured by the error. In this case it isn't obscured... moron.
Yeah-uh
Yes, I too am so glad that Linux has finally gotten this new feature which Windows has had since the end of this month.
Linux has offered other non-exec stack options for a while
"finally gotten this new feature"
That's funny.
"which Windows has had since the end of this month."
May or June? That's also funny. I thought SP2 was still in Beta anyway.
Either way, it does not seem worthwhile to fight over which OS got this feature a few days before the other. It should be noted that Linux has had other non-executable stack options for quite a while including Solar Designer's patch (which I was using years ago on the 2.2 kernels), PaX, and StackGuard. This NX thing is a newcomer, and it is long overdue at that.
Better wording ...
Hmm, I probably could have worded that to be more clear. Let's try:
Yes, I too am so glad that Linux has finally gotten this new feature which Windows has had since SP2 will be released.
I didn't realize my reply was going to be so far from the original post. Also, if I'm not mistaken, this patch is for AMD64 ... the legacy x86 chips don't support non-executable stacks in hardware. Linux running on other architectures already has this 'NX' (equivalent) capability.
StackGuard and the Solar Design patch, I thought, were for GCC. They inserted canaries in the function return addresses and killed the process if its stack was corrupted on function exit...
Which month?
6 weeks later now, and it's been delayed yet again...
PT_GNU_STACK
They seem to refer PT_GNU_STACK very often. That's interesting, because PT_GNU_STACK is not defined in any released GLIBC. It's available in glibc 2.3.3, which in turn haven't been released yet.
--
:wq
Not released doesn't mean not distributed ;)
Quite a few Linux distros contain [patched, CVS] glibc-2.3.3 (FC2, Gentoo, MDK10, SuSE9.1, ...).
Yes, I know
Bu there are some distros that don't spread unrelased stuff. Slackware is that kind of distribution.
Glibc 2.3.2 was released on 01-Mar-2003. It a kind of shame that most important piece of software in GNU/Linux system had no releases for over a year. It didn't catch up with kernel 2.6 apparently.
--
:wq
glibc 2.3.3
Well, I'm no glibc hacker, but my understanding is that glibc 2.3.3 is released but the glibc team don't release tarballs anymore. You have to get it from CVS. No I don't like it either.
Not only me
It seems that I'm not the only one concerned:
http://home.ozonline.com.au/davmac/lintrouble.html.
--
:wq
So much for GNU freedom...
So much for GNU freedom...
GNU
Why does GNU even allow its libc to be maintained by a company that patents software?
Sparc ...
I have a sparc machine for the gateway to the outside world running openbsd. Sparcs have supported this (and some other) features since ... forever :) And openbsd supports it now for about a year. It really makes you sleep better.
PUT PAX IN STOCK KERNEL!
PaX (http://pax.grsecurity.net) offers much more protection that just NX (the NX feature is just a small part of the features PaX offers.) And you don't need an NX enabled CPU.
I really don't know why it isn't in stock kernel ands really ashame. Linux could really be a step ahead if it used PaX.
Doesn't work for everything
As Fedora users know randomized stacks make certain things like WINE, gcc, and many native Linux games very unhappy. It's also kind of strange to have something random affect instances of programs. No two executions will be the same. This is not good for people doing development and testing who are trying to reproduce crashes and other errors due to dangling references.
Having said that I'd like to see it incorporated too, but with the stack randomization turned off by default and a way to turn it on for individual users and processes.
all that you mentioned work f
all that you mentioned work fine with randomization under PaX, what you're thinking of is either gcc nested function trampolines that break on a non-exec stack or the exec-shield specific address space layout that reuses the 'ascii-armor' region where wine (windows apps) would like to go as well. in any case, these features are selectable on a per-application basis in both PaX and exec-shield.
Probably true
I'm sure you are right about being able to disable it on a per-application basis.
But GCC now writes a memory image to implement precompiled headers. It needs this image to load at the same address and for pointers to work afterwards in a different process.
WINE needs to be able to control the memory layout to simulate the way Windows loads executables, DLLs, allocates memory, etc.
if an application wants to co
if an application wants to control the layout of its address space then it has to do so explicitly, there has never been any spec whatsoever that guaranteed any particular layout. the wine folks went for a static preloader for now (until the kernel's ELF loader is fixed to handle .bss style segments properly), and gcc will have to do explicit memory mappings if it wants stuff to go at a fixed address (mmap with MAP_FIXED).
Openwall OWL has a patch to m
Openwall OWL has a patch to make the user stack non-executable (And other things besides) for some time.
Per page NX at runtime?
Just out of curiosity, I think I remember that at least VAX processors had the ability to switch on and off the execute bit on a per page basis, from user mode. I.e. you could store some assembly code in e.g. a heap array, switch on the execute bit for the relevant page, and branch to the array (which would typically contain a return instruction). When the array returned you would switch off the execute bit.
Is this possible with the x86 NX stuff?
The same
This new NX bit is basically what a lot of other systems have had for years. VAX is probably no different. So what you describe about temporarily enabling execute permissions for a heap page would work. In fact the mprotect system call has existed for this (and other) purposes for a long time. Any correct program needing to execute code from the heap could use this call, or just specify the required permissions when allocating the page.
Deja-vu ?
Doesn't i80386 allow both segment and page protection against many things, including execution?
In Debian i see that ( cs != ds == ss ), but i have heard that linux uses page protection rather than segment protection, so where is it?
Paging limitations
In page table you could protect against writing, but any readable page would be executable. Linux is designed for a paged memory model. A segmented memory model is really not that great, in particular not in the i386 design. Linux is designed for a paged memory model. AMD did the right thing with AMD64 and dropped segmentation in the 64 bit mode, and improved the paging a bit. The reason for some kernels using a different segment for CS is such that they can use the length of this segment to implement a limited page execute permission support. The problem is that you must have all executable pages before all nonexecutable pages.
in PaX you have normal per-pa
in PaX you have normal per-page executable bit even without this explicit hardware NX bit support.
Undefined?
I think that patch does some messing with the TLB which results in undefined behavior according to the hardware specification. AFAIR the way it is work is, that the kernel somehow cause an inconsistency between TLBs used for code and data, and that way simulate nonexecutable pages. I prefer real hardware support over this hack.
there are two non-exec implem
there are two non-exec implementations for i386, only one of them does the TLB hacking, and it works perfectly fine, there's no undefined behaviour in there, at most a not explicitly documented one. and the actual inconsistent states don't even occur, you're probably relying on the 3+ years old docs, not the current one. as for what you prefer, well, if you have nothing but a plain IA-32 CPU then you hardly have any choice over how you get NX behaviour, the amd64 style NX support will be present in future CPUs only, the other few hundred million IA-32 CPUs will have to do with a PaX-like solution.
Virus friendly x86
This is not "Enhanced Virus Protection". x86 was "Virus Friendly" by design. This is a bug fix.
Does this affect Malloc'd memory ?
Most JIT's use malloc'd memory which is written with the native code and then executed dynamically .
Sure...
... if you malloc some memory, then jump to it without calling mprotect(PROT_EXEC) on it. Which is what things like JITs were supposed to be doing in the first place, since otherwise they would work on x86 but break on almost anything else. This isn't something radically new, it's just x86 finally leaving the Stone Age.