Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
AMD Security

Holland Bans AMD's 'Virus Protection' Campaign 330

Posted by timothy from the puffery-is-strictly-for-cafes dept.
Hack Jandy writes "For those of you who didn't see this coming, AMD's Advanced Virus Protection campaign has been banned in Holland since the technology does (almost) nothing to stop viruses! If you recall, AMD's NX bit attempts to stop the processor from executing pages on the stack that have been written to. Does NX even solve more problems than it causes?"
This discussion has been archived. No new comments can be posted.

Holland Bans AMD's 'Virus Protection' Campaign More

Holland Bans AMD's 'Virus Protection' Campaign

Comments Filter:

  • How do you explain it to Joe Sixpack? (Score:5, Informative)

    by LostCluster ( 625375 ) * on Wednesday December 29, 2004 @02:03AM (#11206732)
    What the "NX bit" actually does is a pretty nice thing for preventing buffer overflows... if a segment of memory is marked for data use and then the code execution point somehow arrives there, you get a crash-out instead of the execution of arbitrary code.

    Of course, AMD's problem is finding a way to try to communicate that concept to the average user. Joe Sixpack doesn't even know what buffer overflow problem is, so they don't understand why they need a solution to that problem. AMD is trying to use the concept of "virus prevention" instead, but apparently they've gone too far in implying that the NX bit eliminates the need for conventional anti-virus methods, which it most certainly does not.

    This is an extra set of suspenders, not a new belt.

    • Re:How do you explain it to Joe Sixpack? (Score:5, Informative)

      by karniv0re ( 746499 ) on Wednesday December 29, 2004 @02:16AM (#11206787) Journal
      This is akin to OpenBSD's W^X, which specifies that memory can be either Writable or eXecutable but never both. Wikipedia has a good stub on it, [wikipedia.org] as well as a nice article on the NX bit [wikipedia.org].
      • W^X requires hardware that can actually enforce that policy. Until AMD implemented NX this simply could not be done on X86 and you had to use some other platform if you wanted real security.
      • It's not "akin". OpenBSD's W^X is policy. AMD's NX bit is a processor feature that makes policy like that easier to implement. Microsoft's policy is different (and not as strong, only the stack is protected), but uses the same processor features.

    • Re:How do you explain it to Joe Sixpack? (Score:5, Insightful)

      by jrockway ( 229604 ) * <jon-nospam@jrock.us> on Wednesday December 29, 2004 @02:18AM (#11206796) Homepage Journal
      NX doesn't fix anything.

      If I'm overflowing a stack buffer, I'll just write the address of system() over EIP and the address of a string I control after that. Then when the function returns, it will execute system("/whatever/program/i/want").

      Maybe not quite as convenient as shellcode for crackers, but virus writers will adapt and NX will mean nothing.

      • Re:How do you explain it to Joe Sixpack? (Score:4, Interesting)

        by NigelJohnstone ( 242811 ) on Wednesday December 29, 2004 @05:55AM (#11207519)
        "If I'm overflowing a stack buffer, I'll just write the address of system() over EIP"

        A software stack check will already catch that. (a random number stuck under the stack frame, checked before returning. You could overflow the buffer, but you can't know what random number to write because it changes each time -> failed exploit.)

        IBM did some work to put a similar feature into GCC:

        http://www.research.ibm.com/trl/projects/securit y/ ssp/
    • Let's just say it's impossible to market something like this. In their ad they said something like "AMD processors are the only processors which actively stop/prevent viruses". Surely that's not something a CPU can do at all anyway.

      And since this is only a minor improvement (if an improvement at all) in the Athlon64 I wonder why they didn't think of something else to use to promote the CPU... Surely saying that the thing is 64-bit must impress some Joe Sixpacks.

      • Re:How do you explain it to Joe Sixpack? (Score:5, Insightful)

        by 0racle ( 667029 ) on Wednesday December 29, 2004 @02:32AM (#11206854)
        "What does 64bit mean? Obviously 32 is working for me, why do I need this. Now virus protection, that I need."

        Thats why. They don't have to explain what being a 64bit processor means and why they need it, because most people don't, but everyone need virus protection and for the most part they already know that.

        I have yet to see a good reason why I should get an A64, beyond the 'dude holy shit its faster then last months model.'
        • Someone [mailto] is reputed to have said "Nobody would ever need more than 640K of memory" ! With advancing technology everything always gets better by a factor of 2. 8,16,32,64 each time with substantial performance improvement. If you are in the market for a new computer IMO it's crazy NOT to get a 64bit processor. If you're happy with old hardware of course, no-one is telling you to change...
          disclaimer: Santa brought me a lovely AMD63 3500+ to plug into my Asus A8N-SLI motherboard - yum!
        • Actually, 64bit markets itself, because it's twice as much as 32 bit. You don't need to explain it. And if you do care about performance, there are some reasons to get an AMD64, because it's architecturally better than the 32 bit offerings. It's not just an Athlon that can address more memory. Obviously, if you aren't interested in upgrading your computer for more performance then you aren't in the market for a new processor of any kind, and your opinions aren't really important when it comes to them.
        • I have yet to see a good reason why I should get an A64, beyond the 'dude holy shit its faster then last months model.'

          In that case, I presume you would never upgrade as your current box is fast enough.

    • Re:How do you explain it to Joe Sixpack? (Score:2, Insightful)

      by Anonymous Coward
      What the "NX bit" actually does is a pretty nice thing for preventing buffer overflows.

      I have to call you on this one. It's only a "pretty nice thing" in theory, since the option has to be enabled during the compilation of the binary. In Windows (even XPsp2), this is only enabled for certain MS-created services that listen on ports. It has to run in PAE mode. Not every application is protected. Significantly, the user-space apps are not protected. You have to specify /PAE option, despite what MS says [microsoft.com].

      • Re:How do you explain it to Joe Sixpack? (Score:5, Insightful)

        by rale, the ( 659351 ) on Wednesday December 29, 2004 @04:36AM (#11207288)
        I have to call you on this one. It's only a "pretty nice thing" in theory, since the option has to be enabled during the compilation of the binary.

        Sorry, but this isn't true - NX protection has nothing to do with compiling binaries. It is runtime protection.

        In Windows (even XPsp2), this is only enabled for certain MS-created services that listen on ports. It has to run in PAE mode. Not every application is protected. Significantly, the user-space apps are not protected. You have to specify /PAE option, despite what MS says [microsoft.com].

        This is unfortunate but true, the default for processors that support it really should have been to turn it on for all apps. As it is, you have to go into Control Panel->System->Advanced->Performance->Data Exec Protection and enable it for all apps yourself. It does work quite exactly how it should when you do, tho - warning you and shutting down apps that attempt to execute data as code.

        So, moderators. How does the original post deserve such a high ranking? It's factually incorrect on a few points, and just makes general statements about "safety is good". The trend appears to be that early posters get points, and everyone else carps and trolls. What a shit hole slashdot has become. (I can recall when a 90-post story was big news, and most of the posts were useful... but don't get me started.)

        So, moderators, how does an AC who posts factually incorrect statements also get a +4 Insightful? Is it just because he said "So, moderators"?
    • Viruses are now including multiple attack vectors, and often times some of these require human intervention while some don't. As viruses grow increasingly multiparadigm and begin exhibiting both the properties of the canonical virus (requiring human intervention) and worm (spreading without human intervention) the semantic distinction grows less important.

      This is a distinction which Joe Sixpack has a terrible time grasping. Telling someone "Your computer's got worms!" is less likely to be comprehend tha

    • Re:How do you explain it to Joe Sixpack? (Score:2, Insightful)

      by Anonymous Coward
      First off all buffer overflow problem wxist only in software that has a bug. The thruth is that there probably isn't any large program out there that doesn't suffer from this. When you have a huge chunk of code you tend to over look things plus the software gets extremely hard to maintain from a security stand point, hens buffer overflows appear. What AMD supposedly invented is the same thing that VMS machines have had for ages now (or should I say used to when VMS was still kicking). As some people have al
      • The truth is that there probably isn't any large program out there that doesn't suffer from this.

        Umm.. Java programs don't get buffer overflows. C++ programs that use bound-checked containers and no pointer arithmetics are reasonably safe. Perl and Python are all right. So are we only talking about old-style C code then?
    • what they did was that they made a fake promise that it would(or could) solve your virust problems instantly and for good, with no extra effort.

      like magic that is.

      of course, it's NOT TRUE, so the adverts got banned.

      a car company can't claim that their car is deathproof(when it isnt)..
    • Of course, AMD's problem is finding a way to try to communicate that concept to the average user.

      AMD does certainly not have to explain such concepts to Joe Sixpack. Joe anyway doesn't have the foggiest clue what AMD is about. His only potential encounter with AMD is when he buys a computer and then he probably couldn't care less.

      Who AMD must convince as their primary target is OEMs and most of them (hopefully) know their shit and can be bothered with technical whitepapers.

      Now if AMD wants to launch an

    • what they could say is that it more or less eliminates the need for a firewall if you have the services locked down. think about it, 99%+ of the server exploits are buffer errors. take out that and you have a much more secure system. the concept of worms that use server errors will go allmost away, leaveing those pesky mail/social-engineering worms . conventional viruses it may not stop tho unless your able to tag binary files on the disk as non-modifyable.

  • Eh, whatever. (Score:4, Insightful)

    by TWX ( 665546 ) on Wednesday December 29, 2004 @02:07AM (#11206749)
    I don't understand really why AMD felt a need to make an ad campaign over the technology anyway. Most uses for this technology are buffer overflow preventions, which are almost exclusively server technology. Admittedly, it is possible for any program that makes a remote connection to accept data or idles waiting for data to possibly be vulnerable, but for a userland machine this would be mostly messaging programs and p2p programs.

    I think it would have made sense to put it as a nice side feature so that geeks see the technology and how it prevents buffer overflows, but they probably already know about it.

    • Re:Eh, whatever. (Score:3, Informative)

      by Tanktalus ( 794810 )

      Servers, P2P programs, messaging programs, ... email (Outlook?), web browser (IE? Even Firefox had one not too long ago, didn't it?), or pretty much any software that reads data from an untrusted source.

      By the way - that includes things like word processors. A malicious attacker overflowing the buffer of Word via some viral Word doc spread via email - NX bit can help here, too. By "untrusted source" - that means pretty much any program.

      • Re:Eh, whatever. (Score:5, Funny)

        by geekoid ( 135745 ) <dadinportlandNO@SPAMyahoo.com> on Wednesday December 29, 2004 @02:25AM (#11206825) Homepage Journal
        "untrusted source"

        Fluffy bunny code is untrusted, continue to install?
        No.
        You won't be able to see the fluffy bunnies if you don't install. Continue install?
        No.
        You don't want to not install?
        No.
        Installing Fluffy Bunny.
        HULK SMASH!

        • I ran across a page the other day of which your post reminded me. It wanted to install some piece of adware/spyware shit, and IE6 SP2 (I know, install Firefox) actually caught it. Now I got this irritating flashing bar across the top of my web page saying some program wants to install. Click to install, right-click for more options. Well, I don't want to install, so I right-click. Now I have a little menu with 3 options. One is Click to Install (again), and the other two are about the idiot bar. How

    • Not just for servers (Score:5, Informative)

      by gad_zuki! ( 70830 ) on Wednesday December 29, 2004 @02:14AM (#11206780)
      Windows XP uses NX now as of SP2. Its part of its Data Execution Protection scheme. DEP can run without an AMD too. Its on by default for windows system files.

      Buffer overflow exploits arent just for servers either, the RPC/DCOM exploit was one. So was the previous big worm, err blaster? I don't quite remember.

      This is tech for the desktop, really. Modern computers run a slew of services.

  • Does it rely... (Score:5, Funny)

    by nathan s ( 719490 ) on Wednesday December 29, 2004 @02:13AM (#11206770) Homepage
    Does this NX thing rely on the evil bit? If so, no wonder it doesn't work! *duck*

  • What is a "virus" to most people (Score:5, Insightful)

    by IBitOBear ( 410965 ) on Wednesday December 29, 2004 @02:17AM (#11206793) Homepage Journal
    Given that, in common parlance, most people don't know the differences between the various exploits "virus" is as good a word as any.

    And if the NX bit were used for more than the stack, then it could protect against a lot of (non-trojan) viral activity too.

    Lets face it most viruses today aren't even viruses. They are trojans, worms, and human-engeneering exploits. How often do you see an actual virus? You know a program that writes its code into another program. It's actually getting kind of rare. Now days it is whole applications delivering themselves to your computer through email and exploiting the existing code of crap like IE and Outlook by just telling those programs to run the evil code. Most exploits today are applets and packages.

    All But Gone are the days of rewritten exe headers wiht appended code fragments, and programs appending themselves to other programs in memory.

    Quite frankly if all the non-code memory regions in my computer were non-execute down to the very last GDI region and printer buffer, the classic virus would be dead. The IE hacks and the trojans and the worms would still be here because certian stupid programs will do arbitrarily complex things at the behest of remote entities, but that isn't a virus. Thats bad design comming home to roost.
    • Quite frankly if all the non-code memory regions in my computer were non-execute down to the very last GDI region and printer buffer, the classic virus would be dead.

      How do you figure? The classic virus modified EXEs on disk, but didn't need to modify executable code in memory.
      • The classic virus modified EXEs on disk, but didn't need to modify executable code in memory.

        You are absolutely right. And that is why NX doesn't help preventing vira. It may prevent most classical worms though. Whether worms will find a way arround the protection is an open question. In theory the bugs may still be exploitable, but hopefully it will take longer time to write exploit code, so there will at least be time to patch your system. Protecting against vira modifying executables is easy, and it d
    • And if the NX bit were used for more than the stack, then it could protect against a lot of (non-trojan) viral activity too.

      So would all the JITs that everyone's built so far .. Remember that not all code blocks are loaded as readonly off the disk. I had to go through a couple of hoops to get portable.net [dotgnu.org] to work on OpenBSD..

      In short they would have to provide a way to mark a write-able buffer as executable - and I suppose you'd call it the next design mistake ?.

      Read about PAE and JITs [microsoft.com] (hint: dotne

      • In short they would have to provide a way to mark a write-able buffer as executable

        Every single OS that supports a no-execute bit provides this (including Windows), otherwise things like dynamically-loaded libraries wouldn't work too well. JITs that run on these OSes are, of course, coded to call this when necessary. It's not really a big deal.

        Remember that even though NX is The Next Big Thing in the x86 world, rationally-designed CPU architectures have had no-execute bits in their MMUs for a long, long
        • otherwise things like dynamically-loaded libraries wouldn't work too well.

          I'm talking about userland tools which do something like -

          JITcompile(bytecode);
          bytecode->__func(args);
          They preferably mmap space off /dev/zero and unlike a shared lib loader can't operate in kernel space (we're talking about NX in userland, not ELF loaders).
          • Functions like loading plugins and libraries at runtime are generally handled in userland, not in the kernel (or so I think), so we're talking about the same thing. Any OS which supports a no-execute flag will support a way to mark a region of memory as executable.

  • Finally someone cracks down on stupid marketing (Score:2, Informative)

    by Anonymous Coward

    Reclame Code Commissie of the Netherlands, an organization that regulates advertising in the country, recently said some or all AMD EVP radio ads were "too absolute and as a result misleading"

    Almost all CPU advertising is misleading, first of all because it has to paint with such a broad brush. The NX bit plays only a tiny role in virus prevention. The much-hyped Hyperthreading was only of questionable benefit and certainly not worth paying extra license costs for most people. Dual cores may be a m

  • Hum. (Score:5, Interesting)

    by mcc ( 14761 ) <amcclure@purdue.edu> on Wednesday December 29, 2004 @02:42AM (#11206899) Homepage
    So my first reaction was that I'm not so sure about this one. There exist worms which use buffer overflows to propigate themselves. NX could potentially protect against such worms. Referring to a worm as a "virus" may not be strictly accurate but it isn't unreasonable, unless there's some quirk of the Dutch language at play I'm unaware of. If infection by Code Red, or any other buffer overflow based worm of the last few years which targeted end-users, could have been prevented by running a chip with NX functionality, then referring to this as "virus protection" may be a tiny bit silly, but not unreasonable. Certainly not deception on the same scale as the Pentium 4 "IT WILL MAKE THE INTERNETS MORE FUN" ads.

    ...then I actually RTFA.
    Reclame Code Commissie of the Netherlands, an organization that regulates advertising in the country, recently said some or all AMD EVP radio ads were "too absolute and as a result misleading", according to Tweakers.net web-site. The regulators pointed out the fact that the technology needed Service Pack 2 to be installed on a PC running Microsoft Windows XP operating system and was able to protect only against a number of malicious programs.
    So it appears that the complaint wasn't against the claim NX "protects against viruses", the complaint was that the advertisements did not make necessary disclaimers like "requires special operating system support". This seems definitely reasonable on the regulators' part.

    This said, I have heard it claimed that NX technology is rediculously easy to circumvent. Specifically, I saw a long post by Linus Tourvalds somewhere in which he noted that NX provided protection against some classes of buffer overflow attacks, but not all, and then outlined various ways in which someone attempting a buffer overflow under Linux could potentially simply structure their buffer overflow so as to circumvent the protections NX offers. The post was very technical and I could not tell if the statements were general or just byproducts of the way Linux handles stack and such. Does WinXP suffer from these same problems with regard to the efficacy of an NX bit?

    • Re:Hum. (Score:4, Informative)

      by Anonymous Coward on Wednesday December 29, 2004 @02:58AM (#11206958)
      As has been said over and over by people who understand NX, it is simply one more arrow in the quiver, not a panacea to stop all viruses.

      A well crafted buffer-overflow attack that overwrites the return instruction pointer on the stack to point to existing code elsewhere will not be caught by NX. NX catches *execution* of code
      from non-allowed pages as pre-determined by the OS; but it does not block data writes.
      • Overwriting a return address with a new one is difficult because you need to find the correct place to call. It is much easier to insert your own code with the modified stack frame. Therefore NX (present on many other architectures) is actually a fairly major step.

    • Re:Hum. (Score:2, Interesting)

      by SiggyRadiation ( 628651 )
      Not only did they not warn that this only works in specific scenarios (eg. with SP2), but they also insinuated that by using an AMD processor the user would be totally free of virusses and needed to worry no more.

      I'll try to sketch a radio-commercial:
      Voice of teenage girl: "Hi, I'm susan. When I come home from school Í like to chat with my girlfriends for an hour or so. If that darn brother of mine isn't gaming or doing something silly on our computer.
      ***But thank god that I don't have to worry about

  • For now, it creates more problems than it solves. (Score:4, Informative)

    by Anonymous Coward on Wednesday December 29, 2004 @03:01AM (#11206968)

    In a recent cluster installation, we noticed that any tool (IBM's RAID console and the PolyServe cluster files system managment console) involving Java aborted with SIGSEGV errors. This was a Redhat ES 3.0 u3 installation on IBM e336 (dual Xeon 3.06 GHz) systems. Run the tools, immediate BOOM!

    Noting that the problem was the JRE blowing itself out of the water with SIGSEGV (and talking to friends that had installed the same OS and same software on different hardware) led me to do some more research. "strace" can indeed be your friend. It seems that AFAICT the NX feature was added to the Xeon processor versions (stepping) that were in our machines. There was no way to disable the feature in the BIOS. There is a little, er, confusion in the various documentation about the kernel's behavior, but "noexec=on" is the default as far as I can tell.

    So, what (apparently) happened here?

    [personal opinion] Intel, rushing to counter the AMD marketing blitz about the wonders of "no execute", put the feature into their newest Xeon CPUs, possibly before the BIOS functionality caught up. The Linux kernel's choice of defaulting the new feature to "on" (theoretically the best choice) unfortunately resulted in numerous "issues", particularly in applications (simulators, virtual machines, etc.) that commonly execute things within the stack segment. This is done all the time in this class of application. The software development community hadn't caught up to the new feature, either. It seems that there are linker attributes that can disable the behavior (still researching this). [/personal opinion]

    If you Google for this issue you will find that virtually (pun intended) anyone that relies on a JRE on Linux (Oracle, IBM, etc.) was affected iff the hardware did the NX bit. Our solution was to download the latest JRE from a source on the Web (Sun in this case) and hope that we did not run into Java compatibility issues or that the JRE versions in the software packages were not bolted in.

    We squeaked by with our solution, but it only cost about a whole day figuring it out. Time is cheap. Technical problems are fun, especially with a customer watching all of the game over your shoulder. "You have done this before, right?"

  • Interesting that this should happen (Score:5, Insightful)

    by MP3Chuck ( 652277 ) on Wednesday December 29, 2004 @03:06AM (#11206983) Homepage Journal
    I was speaking to someone on a forum just recently, and they mentioned how their processor had "built in virus scanning." After a bit of an argument (he was quite convinced that it was truly virus scanning) I ended up correcting him, and simply explained that it could help stop a "bad program from tricking your computer into doing something it shouldn't."

    It's a shame that they couldn't come up with a better way to market this ... because it's definetly misleading to those who don't understand what it does and can easily become an issue of semantics for people who might confuse "virus protection" with "antivirus software." And in a world where the blue E on grandma's desktop = The Internet(TM) this may be happening more than it's apparent.

  • Can understand.. (Score:2, Informative)

    by kaiwai ( 765866 )
    I can understand the stance that the Dutch took in regards to the NX issue. Ultimately, these commissions need to ensure that the information given out by companies such as AMD are as clear and accurate as possible, and I'm sorry, when they say, "advanced virus protection", after putting my end-user hat on for two minutes, what the advertisement is basically saying is this; "throw out all your anti-virus software, this new CPU can not only protect you like a normal virus protector, but does it even better!"
    • With that being said, however, the other flip side is how thinly do they want to slice the information; many things in IT can't be simplistically put down to a few catch words

      Oh it can put down in a simplistic and correct way.
      There have been several examples in Dutch advertising that should have led AMD to statements like "Can help in stopping virusses" instead of there present "Will stop virusses".

  • Why do we have these anymore ?

    Why don't the people at Monopolysoft start using more secure libraries with visual c/c++ ?

    Performance hits are worth it.

  • Buffer overflows not the issue on Windows (Score:4, Interesting)

    by bigberk ( 547360 ) <bigberk@users.pc9.org> on Wednesday December 29, 2004 @03:33AM (#11207091)
    On Windows systems, no, it's not buffer overflows that are the major problem and the CPU's capabilities with respect to flagging memory pages will do absolutely nothing. Humans install viruses on Windows systems. They fall for tricks, it's a social problem. Sure there are still some buffer overflow issues.

  • Ohh Cmon (Score:5, Interesting)

    by logicnazi ( 169418 ) <gerdesNO@SPAMinvariant.org> on Wednesday December 29, 2004 @03:40AM (#11207120) Homepage
    I can't say I think the NX bit is really that big a deal, it only makes things a little harder when you can't execute code on the stack since a stack overflow lets you return program execution to any address on the system you want. Often a cleverly designed system call or another non-stack user controlled data structure will still allow the attacker to gain control.

    Still it really does provide some virus protection which is alot more than can be said about most commercials. I mean is the 'lemon strength cleanser' actually a better cleanser because of the lemon. Is 'oxygenation' or whatever really important for skin care.

    Maybe they manage to stop all these types of advertising exageration over there, and if so my hat is off to them. At least if they can really manage to do it objectively. Often these sorts of rules aren't applied evenly, letting false but dear cultural assumptions slide by but blocking correct but disconerting claims. For instance I have no doubt that if we had these sort of tight 'truth in advertising' laws in the US we would find condom ads forced to produce 3 peer-reviewed studies for every claim they make while gun ads would be allow to imply or outright say that carrying a gun makes you safer. But maybe other countries can pull this off, after all I'm always amazed the U.K. can function so well without an explicit constitution so who knows. If they can do it objectively my hats off to them.
    • I can't say I think the NX bit is really that big a deal, it only makes things a little harder when you can't execute code on the stack since a stack overflow lets you return program execution to any address on the system you want. Often a cleverly designed system call or another non-stack user controlled data structure will still allow the attacker to gain control.

      OpenBSD [openbsd.org] uses the NX bit to implement a memory policy forcing a page to be either writable or executable, but not both. This will make your

  • I'm curious if there were any countries that had a similar reaction to past near-false advertising campaigns, such as the "The Pentium II makes the internet faster!" ad several years back.
    • Apparently you can claim almost anything in adverts in many countries. In the Netherlands there are some quite firm restrictions, and a commission where anyone can complain about an ad.
      Probably in other countries you would have to use the legal system, and nobody would bother.
  • That NX has ALWAYS been around. It used to be enforced and used a long, long time ago...processors stopped respoding to it, so people got lazy and coded. It doesnt "break" anything anymore than Mozilla breaks badly coded CSS pages. You people who are saying that it causes more problems are completly ignoring the REAL problem, and that is substandard coders and code!

    The AMD NX feature is a long, long overdue feature that processors have been missing for quite some time, and it can prevent a LOT of misuse. I

  • "Pointer in memory protection" (Score:5, Interesting)

    by octogen ( 540500 ) <g.bobby@gm x . at> on Wednesday December 29, 2004 @04:50AM (#11207324)
    There is a much more effective technology around since about 1988. IBM's AS/400 (now called "iSeries 400" or "eServer i5") has a feature called "Pointer in memory protection".

    Every time when the processor writes an address into memory (for example, return addresses stored in stack memory by subroutine calls) the memory location is marked as containing a valid address by using a "shadowed" flag, a 65th bit (one bit of ECC memory is used, so the machine does not need special memory modules, just standard ECC memory modules). If that memory location is overwritten with data, the CPU automatically clears the "shadowed" flag. If the CPU tries to use a pointer as a memory address, that was overwritten with data before, it automatically generates an interrupt.

    This feature was originally not designed to be a buffer overflow protection, but it was neccessary, because the AS/400 uses a so-called "single level storage", where all applications use the same address space. Therefore, the machine needed some method to prevent applications from writing to arbitrary locations in memory, and that's why pointer-in-memory-protection was invented.

    Actually, the memory is also segmented, one segment for every "object" created by a program. Most buffer overflows can not even overwrite an address, because a character array will have its own object boundary.
    For example, the following code will typically not generate a buffer overflow on an AS/400:

    int main(void)
    {
    char space_a[20];
    char space_b[20];
    int i;

    for (i = 0; i < 100; i++)
    {
    space_a[i] = 'A';
    }
    for (i = 0; i < 100; i++)
    {
    space_b[i] = 'B';
    }
    }

    Just try it out, it should not even crash.
    I tried a lot of things like these on an AS/400 Mod. 170 running V5R2 using IBM ILE C compiler.

    I think, pointer protection using shadow flags is the right way to prevent execution of code inserted by exploiting buffer overflows, because all other protection methods can't prevent return-into-libc exploits, but the pointer-in-memory-protection can, so IMHO it is the only *real* protection.

    Further reading: "The inside story of the IBM iSeries" by Frank Soltis (a book about the architecture of the iSeries and the POWER processors)
    • Memory tag bits are nothing new; Burroughs 6000/7000 systems had these (3 bits per word even) in the 1960's.
      With 3 bits you can also tag a word to contain instructions, and the type of data (integer, float etc).
  • Don't forget that this is the company that uses a very badly retouched Apple G4 Titanium Powerbook in its AMD64 adverts. I was waling down a street in Glasgow last week and saw it in a bus shelter. You could even see where the *artist* had tried to cover the Apple logo on the lid.
    • Don't forget that this is the company that uses a very badly retouched Apple G4 Titanium Powerbook in its AMD64 adverts. I was waling down a street in Glasgow last week and saw it in a bus shelter. You could even see where the *artist* had tried to cover the Apple logo on the lid.

      'Artist'? You sure it wasn't just an instance of the rare 'geek-ned' putting their socially destructive tendencies to more profitable use?

  • Fortunately they did not ban PaX! (Score:3, Interesting)

    by Anonymous Coward on Wednesday December 29, 2004 @05:40AM (#11207469)
    Of course NX does not stop virusses and trojans. However, in itself it does only stop some memory corruption attacks, like simple stack overflows. But not many other types of memory corruption attacks.

    NX is just one method to protect the integrity of the memory. What it basically does is that it allows an OS to implement separation between data and code in the memory of a running process. Many overflow and other attacks depend on writing data in the process memory and then executing it as if it was code. A virus or a trojan is usually a program. It depends on being run, not on memory corruption. Therefore protection against memory corruption brings you literally nothing.

    NX in itself stops exploit writers for aproximately 15 minutes, which is the time it takes for them to adjust most of their overflows to make them work with NX. Only a hand full of attacks cannot be adjusted. So NX in itself doesn't bring you much, despite what the marketing departments of companies like AMD and Red Hat tell you.

    The trick to provide good memory protection is not to only use NX, but to combine it with other protection methods. This is the approach taken by the PaX project http://pax.grsecurity.net/ [grsecurity.net].

    However, there are also some PaX imitations which, unfortunately, do not implement all of the PaX technology (even though some of them claim they do or claim to be even better). Examples are: MS-Windows SP2, Red-Hat's Exec-shield and OpenBSD's W^X.

    Anyways, back from the technical intermezzo to AMD marketing. These guys have the same problem which people from the PaX project, exec-shield, OpenBSD and others who produce stuff like this have: Try to explain why this stuff is useful. If clever people like Linus don't get it, then how is one going to explain it to John Doe or the PHB's of this world? ``Memory corruption? Exploits? Buffer overflows?'' ``Woah! Brain overload!'' At least they have heard the word ``virus'' a few times and have learned that ``virus = bad''. So ``NX = good'', which cannot be explained to lusers, became ``NX = anti-virus = good''. Even if it is disabled by default, if you cannot motivate people to try to look for it, they never will.

    Oh yes, these patches break things. Most programmers are spoiled. They think it is normal to mess around with memory in any way they like. Few of them understand that what is convenient for them, is also convenient for exploit writers. It's like MS-DOS programmers complaining about the file permissions on UNIX.

    I hope AMD takes the challenge to produce better marketing, so more people start using this technology. Even though it is badly implemented in MS-Windows, it is a small step in the right direction.

  • This just in (Score:3, Funny)

    by SCVirus ( 774240 ) on Wednesday December 29, 2004 @05:42AM (#11207476) Journal
    Microsoft has anounced a new patch to stop social engineering... well acually its a minor addition to the windows xp firewall that may prevent a small portion of attacks... but people won't understand that...
  • Quite a few virusses and hacks rely on buffer overflow errors. So eliminating that goes a long way.

    In fact I think Dutch courts took it to far, or at least farther than they would have for other pruduct that mislead the public through advertising.

    Don't get me wrong, I'm all for truth in advertising, but this is selective justice.

    I have yet to see one laundry detergent that fail to get your cum stains out of your mothers favorite sweater to actually get banned for false advertising.

  • It Breaks Down Like This (Score:4, Funny)

    by appleLaserWriter ( 91994 ) on Wednesday December 29, 2004 @06:11AM (#11207576)
    VINCENT
    Yeah, it's legal, but is ain't a
    hundred percent legal. I mean you
    can't walk into a restaurant, open
    up a laptop, and start settin' NX bits.
    You're only supposed to hack in
    your home or certain designated places.

    JULES
    Those are internet cafes?

    VINCENT
    Yeah, it breaks down like this:
    it's legal to buy it, it's legal to
    own it and, if you're the
    proprietor of an internet cafe, it's
    legal to sell it. It's legal to
    carry it, which doesn't really
    matter 'cause -- get a load of this
    -- if the cops stop you, it's
    illegal for this to search you.
    Searching you is a right that the
    cops in Amsterdam don't have.
  • This NX bit is a long waited hardware feature in the x86 platform. Sun Solaris developers needed a similar way of avoiding stack overflows due to arbitrary code execution. The solution was partially addressed in the Sun UltraSparc architecture with the introduction of an optional flag that could mark the stack as no executable [uwaterloo.ca]. Additionally even the unsuccessfull attempts to break this protection could be logged for further investigation.

    At first this flag was disabled by default because it was not comply

  • You do want to look at the NX advert at the top of this page [amd.com] - an titanium powerbook G4 is used in the adverts. No AMD inside :-)

    In the print versions sold locally (e..g in the HCC magazine) it is even more obvious as you see the whole machine.

    Dw.

  • is that the campain was misleading. AMD stated their campain in such a way that it sounded like you don't need any virus protection any more.
    Which we all know, isn't true.

    By the way: Holland ins't the same as The Netherlands. Holland is just a small part in the west of The Netherlands. To make it more confusing: Zeeland and Friesland are also part of The Netherlands

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close