Page 1 of 1
no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 3:18 pm
by brunexgeek
Hey guys!
I was thinking about how to avoid some malicious or buggy software to execute code in data memory. With PAE, we have the NX bit to protected pages against execution, but without it we have no hardware support.
I did some search and found little information. I read about a technique used by PaX (from Wikipedia):
On IA-32 architectures, NX bit emulation is done by changing the permission level of non-executable pages. The Supervisor bit is overloaded to represent NX. This causes a protection fault when access occurs to the page and it is not yet cached in the translation lookaside buffer. In this case, the memory management unit alerts the operating system; on IA-32, the MMU typically has separate TLB caches for execution (ITLB) and read/write (DTLB), so this fault also allows Linux and PaX to determine whether the program was trying to execute the page as code. If an ITLB fault is caught, the process is terminated; otherwise Linux forces a DTLB load to be allowed, and execution continues as normal.
I think that a simple (and poor
) implementation could be to check at context switching if the EIP of the thread (next and/or previous thread) it's within a page marked as data (e.i. if the read/write bit of the page is 'write' I assume no-execute).
Has anyone implemented something like this?
PS: sorry if the english is bad!
Re: no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 4:26 pm
by Owen
OpenBSD has a much better solution, implemented by "bifucrating" application binaries into two halves with a 1GB virtual address gap between them.
The user code segment stretches from 0GB to 1GB; the user data segment stretches from 0Gb to 2GB (as necessary).
Re: no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 5:12 pm
by sortie
The easiest solution is to realize that some processors are bad and portably is bad. Don't support stupid CPUs. All x86_64 systems have NX (Right? I quite hope so). You could gain simplicity, security, and elegance if you limit yourself to processors with NX.
Re: no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 6:19 pm
by Nable
brunexgeek wrote:
Has anyone implemented something like this?
Software DEP in Win32 and NX-approximation in old Linux kernels are examples of this.
AFAIK, they're using segment limit for CS (code segment) to achieve this approximation. But segmentation is strongly discouraged nowadays, so you probably shouldn't waste your time to implement such support.
Re: no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 7:13 pm
by brunexgeek
Owen wrote:OpenBSD has a much better solution, implemented by "bifucrating" application binaries into two halves with a 1GB virtual address gap between them.
The user code segment stretches from 0GB to 1GB; the user data segment stretches from 0Gb to 2GB (as necessary).
I read something about this method, but I was looking for another method instead separate my code and data segments. BTW this seems work well.
Nable wrote:Software DEP in Win32 and NX-approximation in old Linux kernels are examples of this.
AFAIK, they're using segment limit for CS (code segment) to achieve this approximation. But segmentation is strongly discouraged nowadays, so you probably shouldn't waste your time to implement such support.
Personally I really prefer don't use segmentation because this way I would have to implement the segmentation (for old machines) and after the support for NX (for newer machines). And even assuming that the choice would be taken in the compilation time, my code can became hard to maintain (I'm wrong?).
sortie wrote:The easiest solution is to realize that some processors are bad and portably is bad. Don't support stupid CPUs. All x86_64 systems have NX (Right? I quite hope so). You could gain simplicity, security, and elegance if you limit yourself to processors with NX.
Maybe you are right. My OS can follow the Windows 8 steps: don't run if the machine don't support NX
BTW you know what the recent Linux kernels do to address this problem?
Re: no-execute in 32bits protected mode without PAE
Posted: Thu Dec 26, 2013 7:17 pm
by Brynet-Inc
Nable wrote:AFAIK, they're using segment limit for CS (code segment) to achieve this approximation. But segmentation is strongly discouraged nowadays, so you probably shouldn't waste your time to implement such support.
This is actually one of the few remaining legitimate uses for x86 segmentation.
sortie wrote:Don't support stupid CPUs. All x86_64 systems have NX (Right? I quite hope so)
Some early Intel clones didn't implement the NX bit. I believe the segmentation trick is still used on them.