Red Hat Introduces NX Software Support For Linux 188
abertoll writes "In this story at ZDnet, Red Hat has apparently added NX support to Linux. NX security technology is a hardware attempt at stopping malicious code." (We recently posted about Transmeta's announcement that its chips will incorporate the NX bit as well.)
Per-segment vs. per-page (Score:5, Informative)
Standard 386 protected mode controls per segment, where CS (code segment) is executable and DS (data segment) is writable. However, many 32-bit operating systems use a so-called "tiny" memory model, setting CS = DS, and the 386 allows for turning off read and write privileges per page but not execute privileges (if you can read a page in an executable segment, you can execute from it).
However, true W^X (shorthand for "no segment is both writable and executable") support won't work for applications that depend on self-modifying code, such as JIT-compiling virtual machines for Java and .NET platforms.
Re:Difference between NX and protected mode bits? (Score:1, Informative)
Re:Difference between NX and protected mode bits? (Score:3, Informative)
the NX bit operates at page level - within segments. it is bit 63 of the Page-Translation-Table entry, and is only available in PAE mode. it is enabled by the NXE bit of the EFER ("Extended Feature Enable Register"). and it applies to all execution rings.
Re:Difference between NX and protected mode bits? (Score:2, Informative)
There's absolutely no thing as the execute bit in 386
There is, but it works on segments and not pages. Unfortunately, some i386 operating systems' ABIs are defined such that CS = DS.
The 386 architecture has one bit for access:
Your one-bit write protection applies to pages.
Comment removed (Score:5, Informative)
calling it a "technology"... (Score:4, Informative)
Kernel 2.6.6 included a x86_64 NX patch (Score:5, Informative)
The 2.6.6 kernel already included an NX patch for x86_64. Details are in the "Non-Exec stack patches" LKML thread here [seclists.org].
Re:Difference between NX and protected mode bits? (Score:5, Informative)
Here you go... (Score:3, Informative)
Software developers will be able to selectively disable execution protection for 32-bit applications, using a DisableNX fix in SP2's compatibility toolkit, and end users will be able to switch the feature on and off for the entire system or for individual applications (like those Java compilers) via a new Control Panel dialog box, similar to those for SP2's beefed-up firewall .
Re:no execute support new? Nonsense ! (Score:2, Informative)
From what I've read, NX support on older i386 CPUs either 1) puts all of a process's code below the code segment limit (1 GB) and all data above that, with an unmapped gap in between [neohapsis.com], or 2) hooks into the translation lookaside buffer (the cache for virtual memory page table lookups) at a speed cost.
definitely helpful but no silver bullet (Score:3, Informative)
Think of this as raising the bar. Of course, the "clever" attackers will still find flaws, and still write code for the script kiddies to use to exploit them.
Re:Difference between NX and protected mode bits? (Score:3, Informative)
All modern architectures implement all 3 different protections bits (read, write, execute). It should have been implemented a long, long time ago, and you definitely cannot emulate it perfectly in software.
I don't known why it wasn't implemented from the begining or at least when the 386 was released, but it was sorely missed by everyone working on improving the security of an OS. I guess Intel didn't think that this architecture would survive in the 21th century.
So adding the NX is a long overdue fix which should really improve the security of PCs, if it is used correctly by the OS.
Regards,
David
Re:Fine No Execute (Score:5, Informative)
As far as it not being on older processors, I assume you mean older ia32's, and surprisingly this was brought up in a MS TechNet event I was at on Thursday. I don't know all the details, but he presenter said it was in older chips, at least back to the original Pentium if I remember, but with the way ia32 chips do paging, it was never implemented in the OS's until recently, which i can only assume the Athalon64, Opeteron and Itanium do this differently, but don't quote me on that.
Personally, I'm just wondering exactly what ia32 chips will Linux and OpenBSD use NX on.
Re:Difference between NX and protected mode bits? (Score:3, Informative)
Point taken, but if NX cuts down on the worm/virus/virus notice email we get because of infected Windoze systems, it'll be a performance boost for us UNIX users.
Re:no execute support new? Nonsense ! (Score:5, Informative)
Re:JIT Compilation/Interpreters (Score:1, Informative)
Exciting news... (Score:4, Informative)
From what I've read, it certainly makes sense to break a few apps for this functionality, as you can always run them in a build without it. Things should be a lot safer, as crap like buffer overruns from carefully formatted input strings can no longer contain executable code.
I think this should be available for individual programs to set the NX bit on memory pages that should only contain data, so, for example, when you download a file, it is impossible to execute it (say, while in memory) until you save it and explicitely set the execute bit. In other words, there is a completely non-executable path for all untrusted code from its inception until the user explicitly makes it run. Now, when some Joe Luser clicks an email attachment virus made for Linux, if this ever happens, it will be very difficult for him to make it run, and hence, it won't. Add to that the protections inherent in all Linux systems (multiuser permissions, heterogeneous configurations, etc.), and it's very unlikely that Linux users will experience the kind of crap that Windows users have to put up with on a daily basis, even if Linux somehow gains a huge market share on the desktop.
These are exciting times.
Re:A Problem or Not? (Score:3, Informative)
Re:no execute support new? Nonsense ! (Score:2, Informative)
Re:Here you go... (Score:5, Informative)
Of course, if those programs were written correctly in the first place they wouldn't need to be fixed to work on NX platforms.
Win32 has always had PAGE_EXECUTE flag [microsoft.com], and if you wanted to execute dynamically generated code you were supposed to include this flag when allocating memory [microsoft.com] (or use VirtualProtect afterwards).
Most people didn't bother with PAGE_EXECUTE because it wasn't enforced on x86. But technically it's always been required.
Re:NX and Self Modifying code (Score:4, Informative)
There's some history of self-modifying code from the 16-bit DOS world, but it's probably time to kill that off.
It's been a long time since self-modifying code improved performance. Today, self-modifying code on an x86 machine works something like this.
So, in general, self-modifying code is not going to help performance. Generating blocks of code and then making them executable is fine, but changing code you're about to execute went out with "ALTER paragraph-name TO PROCEED THROUGH paragraph-name" in COBOL.
Re:Fine No Execute (Score:4, Informative)
First of all you shouldn't expect the NX bit to do any good against a virus. A worm OTOH might be stoped by the NX bit. OK I'll assume you mean the worm would use a way to override it. If it could be disabled per executable like execshield on Linux, you could only exploit vulnurable programs with the security feature disabled. So if the vulnurable service is running with the security feature enabled, you cannot disable it, unless you already control the machine. So it doesn't help a worm gaining control.
What are the chances the vulnurable service would run with this security feature disabled? Not large, because you would only disable it, if the service didn't work otherwise. And the number of programs breaking in case of Linux is not large. Fedora Core 1 has exec shield which does a best effort at implementing this without specific hardware support. Arjan van de Ven explains [google.com] that hardly any program broke. Ingo Molnar explains [google.com] in a bit more detail, that the X module loader was the only program breaking. (Some other programs broke for other reasons). So when it is only one program breaking, you fix it, rather than starging to disable this security feature.
However as Linus has explained, there are ways to exploit a vulnurable service in spite of NX. This specific attack relies on using
Re:Difference between NX and protected mode bits? (Score:5, Informative)
Linux, Windows, BSD, etc. don't use segments, but instead use paging. Intel has dragged their feet on adding NX support because the feature "already exists", but the reality is that hardly anyone uses segments.
Ok, technically everyone uses segments -- they just create a single segment which covers all of the memory space. The GDT (Global Descriptor Table) must be configured when you switch to protected mode. Paging is optional.
The NX flag prevents a page (typically 4k) from executing. By marking all stack pages as NX, buffer overflow attacks won't be able to remotely execute arbitrary code. I assume that an exception will be generated when an attempt is made to execute from an NX page, which will probably cause the running program to halt. So, remote explots turn into DOS attacks.
Buffer overflow attacks have been known about for decades, and solutions such as NX have been known for quite some time too. As has been mentioned elsewhere on /., this does not remove the responsibility of developers to write good, secure code. But, as history has shown, they will probably continue with the long standing practice of writing insecure code.
NX will prevent buffer overflow attacks. NX will not be able to determine whether a program you choose to execute is good or evil. Viruses existed and managed to propogate back in the days before the Internet or even networking were in common use. NX won't solve all security problems, but it is a good tool to help reduce the possibility of remote exploits.
The NX flag isn't new, it's just new to the x86 world. Kudos to AMD for being the first to add this to the x86!
Re:Fine No Execute (Score:4, Informative)
New ones. People will buy them because they want "Enhanced Virus Protection".
In the case of older chips: well, that is what exec-shield is for.
Re:NX and Self Modifying code (Score:4, Informative)
Re:Per-segment vs. per-page (Score:3, Informative)