the best I can find is this: http://wapedia.mobi/en/Executable_space_protection which indicated that ExecShield was rejected because of some "intrusive changes". And reading this: http://wapedia.mobi/en/Exec_Shield ExecShield is only an emulation, not really requiring true hardware support, and thus entailing some performance tradeoffs. whereas PaX truely used NX bit....readup the patches. But then again..... 1. There are ways (in another Phrack article) to bypass the PaX protection. 2. The PaX patches may break some applications etc. And most important....PAE is slooooooooooooooooooooooooow. http://lkml.indiana.edu/hypermail/linux/kernel/0612.1/0632.html On Wed, Mar 11, 2009 at 11:03 AM, Pei Lin <telent997@xxxxxxxxx> wrote: > i think if date area can execute code ,it is really very dangerous for > cracker who can easily write > shellcode like : > > char shellcode[]={}; > void (*fp)() = shellcode; > fp(); > > these some virus lovers give examples: > http://www.governmentsecurity.org/forum/lofiversion/index.php/t31130.html > > I search on the internet and Ingo give some ideas > about 'Exec Shield' - new Linux security feature. > http://www.linux.com/feature/29186?theme=print > > i don't know the kernel has these feature now.who know that plz tell > us the details. > > thx > > Lin > > 2009/3/11 NAHieu <nahieu@xxxxxxxxx>: >> On Wed, Mar 11, 2009 at 10:46 AM, NAHieu <nahieu@xxxxxxxxx> wrote: >>> On Tue, Mar 10, 2009 at 4:13 PM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >>>> Sorry, my mistake, PAE is required yes, and then 32bit Linux Kernel >>>> will have NX enabled: >>>> >>>> PAE can be enabled with CONFIG_X86_PAE (and CONFIG_HIGHMEM64G - >>>> possibly needed, which is what the kernel config file for Fedora Core >>>> 11 has): >>>> >>>> In arch/x86/mm/init_32.c: >>>> >>>> #ifdef CONFIG_X86_PAE >>>> set_nx(); >>>> if (nx_enabled) >>>> printk(KERN_INFO "NX (Execute Disable) protection: active\n"); >>>> #endif >>> >>> That is indeed what happens in the kernel code. However, now I really >>> have some doubts now after reading the Intel manual 3A. >>> >>> According to 3.8.5, PAE mode in x86 reserves all the bits from 36-63 >>> to 0. Knowing that bit 63 is for NX, this means NX bit is never on, so >>> no page can be set with NX bit. As a result, all the pages in x86 >>> cannot prohibit execution. >>> >>> Meanwhile, 3.10.3 clearly mentions NX bit can be turned on in x86-64 >>> (IA32e in Intel term). >>> >>> So this means NX is really only possible in 64bit OS??? But then why >>> Linux 32 turns on NX? >>> >>> Could anybody confirm this confusion? >> >> Hmm now I see the reason: 4.13.3 says that the reserved bits are >> checked when PAE is on. >> >> My question still stands: why some (every?) data areas dont prohibit >> execution in x86 Linux? >> >> Thanks, >> H >> >> >> >>>> On Tue, Mar 10, 2009 at 12:23 PM, NAHieu <nahieu@xxxxxxxxx> wrote: >>>>> On Mon, Mar 9, 2009 at 11:50 PM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >>>>>> as far as I can remember, in x86 architecture, hardware-wise, it is >>>>>> NOT possible to enable NX. U may do anything via software, but it >>>>>> will not be enabled. NX feature is only for 64bit OS. >>>>>> >>>>> >>>>> No, NX is available for 32bit Linux, as long as PAE is enable. >>>>> >>>>> I am still stuck here (on 32bit Linux). It seems nobody can shed some >>>>> lights in this problem? >>>>> >>>>> Thanks, >>>>> H >>>>> >>>>> >>>>>> On Mon, Mar 9, 2009 at 4:27 AM, NAHieu <nahieu@xxxxxxxxx> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I inspect my Linux memory, and it seems that there is no area that >>>>>>> prohibite execution like I expected (using NX bit in modern CPU). That >>>>>>> really surprises me. >>>>>>> >>>>>>> I looked at some potential data areas exported in System.map file, like: >>>>>>> >>>>>>> - mark_rodata_ro >>>>>>> - sysctl_data >>>>>>> - new_cpu_data >>>>>>> - boot_cpu_data >>>>>>> >>>>>>> And all of these areas allow to execute code (because NX=0 there). Is >>>>>>> that really desirable? >>>>>>> >>>>>>> Anybody know for sure which area (easier to check if exported in >>>>>>> System.map) doesnt allow execute? >>>>>>> >>>>>>> I can confirm that NX is active in my machine (reported in dmesg) >>>>>>> >> > -- Regards, Peter Teoh -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
