I was thinking about how to avoid some malicious or buggy software to execute code in data memory. With PAE, we have the NX bit to protected pages against execution, but without it we have no hardware support.
I did some search and found little information. I read about a technique used by PaX (from Wikipedia):
I think that a simple (and poorOn IA-32 architectures, NX bit emulation is done by changing the permission level of non-executable pages. The Supervisor bit is overloaded to represent NX. This causes a protection fault when access occurs to the page and it is not yet cached in the translation lookaside buffer. In this case, the memory management unit alerts the operating system; on IA-32, the MMU typically has separate TLB caches for execution (ITLB) and read/write (DTLB), so this fault also allows Linux and PaX to determine whether the program was trying to execute the page as code. If an ITLB fault is caught, the process is terminated; otherwise Linux forces a DTLB load to be allowed, and execution continues as normal.
) implementation could be to check at context switching if the EIP of the thread (next and/or previous thread) it's within a page marked as data (e.i. if the read/write bit of the page is 'write' I assume no-execute).Has anyone implemented something like this?
PS: sorry if the english is bad!
