Thanks for all the links, but that is not what I am looking for. My question is: I dont understand why some (all?) data areas in my NX-enable machine dont prohibit execution (why it should). I dont look for the solution (like PaX), just want to know why NX-feature doesnt behave like I expected. Thanks, H On Wed, Mar 11, 2009 at 12:56 PM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: > Sorry, and another article too: > > Bypassing PaX ASLR protection > > On Wed, Mar 11, 2009 at 11:55 AM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >> Bypassing PaX - check out this Phrack article: >> >> The advanced return-into-lib(c) exploits >> >> On Wed, Mar 11, 2009 at 11:51 AM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >>> the best I can find is this: >>> >>> http://wapedia.mobi/en/Executable_space_protection >>> >>> which indicated that ExecShield was rejected because of some >>> "intrusive changes". >>> >>> And reading this: >>> >>> http://wapedia.mobi/en/Exec_Shield >>> >>> ExecShield is only an emulation, not really requiring true hardware >>> support, and thus entailing some performance tradeoffs. >>> >>> whereas PaX truely used NX bit....readup the patches. But then again..... >>> >>> 1. There are ways (in another Phrack article) to bypass the PaX protection. >>> 2. The PaX patches may break some applications etc. And most >>> important....PAE is slooooooooooooooooooooooooow. >>> >>> http://lkml.indiana.edu/hypermail/linux/kernel/0612.1/0632.html >>> >>> On Wed, Mar 11, 2009 at 11:03 AM, Pei Lin <telent997@xxxxxxxxx> wrote: >>>> i think if date area can execute code ,it is really very dangerous for >>>> cracker who can easily write >>>> shellcode like : >>>> >>>> char shellcode[]={}; >>>> void (*fp)() = shellcode; >>>> fp(); >>>> >>>> these some virus lovers give examples: >>>> http://www.governmentsecurity.org/forum/lofiversion/index.php/t31130.html >>>> >>>> I search on the internet and Ingo give some ideas >>>> about 'Exec Shield' - new Linux security feature. >>>> http://www.linux.com/feature/29186?theme=print >>>> >>>> i don't know the kernel has these feature now.who know that plz tell >>>> us the details. >>>> >>>> thx >>>> >>>> Lin >>>> >>>> 2009/3/11 NAHieu <nahieu@xxxxxxxxx>: >>>>> On Wed, Mar 11, 2009 at 10:46 AM, NAHieu <nahieu@xxxxxxxxx> wrote: >>>>>> On Tue, Mar 10, 2009 at 4:13 PM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >>>>>>> Sorry, my mistake, PAE is required yes, and then 32bit Linux Kernel >>>>>>> will have NX enabled: >>>>>>> >>>>>>> PAE can be enabled with CONFIG_X86_PAE (and CONFIG_HIGHMEM64G - >>>>>>> possibly needed, which is what the kernel config file for Fedora Core >>>>>>> 11 has): >>>>>>> >>>>>>> In arch/x86/mm/init_32.c: >>>>>>> >>>>>>> #ifdef CONFIG_X86_PAE >>>>>>> set_nx(); >>>>>>> if (nx_enabled) >>>>>>> printk(KERN_INFO "NX (Execute Disable) protection: active\n"); >>>>>>> #endif >>>>>> >>>>>> That is indeed what happens in the kernel code. However, now I really >>>>>> have some doubts now after reading the Intel manual 3A. >>>>>> >>>>>> According to 3.8.5, PAE mode in x86 reserves all the bits from 36-63 >>>>>> to 0. Knowing that bit 63 is for NX, this means NX bit is never on, so >>>>>> no page can be set with NX bit. As a result, all the pages in x86 >>>>>> cannot prohibit execution. >>>>>> >>>>>> Meanwhile, 3.10.3 clearly mentions NX bit can be turned on in x86-64 >>>>>> (IA32e in Intel term). >>>>>> >>>>>> So this means NX is really only possible in 64bit OS??? But then why >>>>>> Linux 32 turns on NX? >>>>>> >>>>>> Could anybody confirm this confusion? >>>>> >>>>> Hmm now I see the reason: 4.13.3 says that the reserved bits are >>>>> checked when PAE is on. >>>>> >>>>> My question still stands: why some (every?) data areas dont prohibit >>>>> execution in x86 Linux? >>>>> >>>>> Thanks, >>>>> H >>>>> >>>>> >>>>> >>>>>>> On Tue, Mar 10, 2009 at 12:23 PM, NAHieu <nahieu@xxxxxxxxx> wrote: >>>>>>>> On Mon, Mar 9, 2009 at 11:50 PM, Peter Teoh <htmldeveloper@xxxxxxxxx> wrote: >>>>>>>>> as far as I can remember, in x86 architecture, hardware-wise, it is >>>>>>>>> NOT possible to enable NX. U may do anything via software, but it >>>>>>>>> will not be enabled. NX feature is only for 64bit OS. >>>>>>>>> >>>>>>>> >>>>>>>> No, NX is available for 32bit Linux, as long as PAE is enable. >>>>>>>> >>>>>>>> I am still stuck here (on 32bit Linux). It seems nobody can shed some >>>>>>>> lights in this problem? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> H >>>>>>>> >>>>>>>> >>>>>>>>> On Mon, Mar 9, 2009 at 4:27 AM, NAHieu <nahieu@xxxxxxxxx> wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I inspect my Linux memory, and it seems that there is no area that >>>>>>>>>> prohibite execution like I expected (using NX bit in modern CPU). That >>>>>>>>>> really surprises me. >>>>>>>>>> >>>>>>>>>> I looked at some potential data areas exported in System.map file, like: >>>>>>>>>> >>>>>>>>>> - mark_rodata_ro >>>>>>>>>> - sysctl_data >>>>>>>>>> - new_cpu_data >>>>>>>>>> - boot_cpu_data >>>>>>>>>> >>>>>>>>>> And all of these areas allow to execute code (because NX=0 there). Is >>>>>>>>>> that really desirable? >>>>>>>>>> >>>>>>>>>> Anybody know for sure which area (easier to check if exported in >>>>>>>>>> System.map) doesnt allow execute? >>>>>>>>>> >>>>>>>>>> I can confirm that NX is active in my machine (reported in dmesg) >>>>>>>>>> >>>>> >>>> >>> >>> >>> >>> -- >>> Regards, >>> Peter Teoh >>> >> >> >> >> -- >> Regards, >> Peter Teoh >> > > > > -- > Regards, > Peter Teoh > -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
