[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-executable stack (via PT_GNU_STACK) not being enforced



In <4CB3406E.5020900@extendedsubset.com>, Marsh Ray wrote:
>On 10/10/2010 12:40 PM, Kees Cook wrote:
>> On Sun, Oct 10, 2010 at 01:35:10PM -0400, Brchk05 wrote:
>>> this means that my CPU supports nx but I do
>>> not have the right type of kernel, i.e., one that uses PAE
>>> addressing, to support enforcement (or is that part Ubuntu
>>> specific).  Does this sound plausible?
>> 
>> That is quite likely, yes. If you're running 64bit, you already have
>> PAE mode. If you're running 32bit, you'll need to check your kernel's
>> CONFIG options for PAE. The default for 32bit is _not_ PAE mode, so
>> this is probably what is happening.
>
>Anyone else perceive this situation as being a bit sub-optimal from the
>security perspective?

No.

>I'm quite certain there are lots of Debian server admins out there who
>had assumed that in the year 2010 their operating system is not going to
>disable the nonexecutable page protection which is built into every
>modern processor.

Debian server admins are running amd64, not i386, and NX is supported by 
default on 64-bit kernels.  Even if they are running the i386 arch because of 
some random closed app they have to have on top of Debian, they can run the 
amd64 kernel.

>Yes, I have always thought that PAE in general was a kludge, but the NX
>bit is now a fundamental part of the process integrity provided by the
>CPU. It's been available in the 2.6 kernel, and shipped in MS Windows,
>since 2004.

MS Windows also defaults to PAE.

>What can be done to not disable page protections in the default kernel?

Enable PAE.  From what I understand, the features are not separable in the 
i386 kernel.  You either suffer under PAE and get NX, or you suffer without NX 
and drop PAE.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: