Re: non-executable stack (via PT_GNU_STACK) not being enforced
On Mon, 11 Oct 2010 11:50:54 -0500, Marsh Ray wrote:
> On 10/10/2010 12:40 PM, Kees Cook wrote:
> > On Sun, Oct 10, 2010 at 01:35:10PM -0400, Brchk05 wrote:
> >> this means that my CPU supports nx but I do
> >> not have the right type of kernel, i.e., one that uses PAE
> >> addressing, to support enforcement (or is that part Ubuntu
> >> specific). Does this sound plausible?
> > That is quite likely, yes. If you're running 64bit, you already have
> > PAE mode. If you're running 32bit, you'll need to check your kernel's
> > CONFIG options for PAE. The default for 32bit is _not_ PAE mode, so
> > this is probably what is happening.
> Anyone else perceive this situation as being a bit sub-optimal from the
> security perspective?
I agree that this is not ideal.
> I'm quite certain there are lots of Debian server admins out there who
> had assumed that in the year 2010 their operating system is not going to
> disable the nonexecutable page protection which is built into every
> modern processor.
> Yes, I have always thought that PAE in general was a kludge, but the NX
> bit is now a fundamental part of the process integrity provided by the
> CPU. It's been available in the 2.6 kernel, and shipped in MS Windows,
> since 2004.
> What can be done to not disable page protections in the default kernel?
You would need to convince the kernel team that the bigmem kernel
should be the default on i386 systems.
> What can be done to at least warn users that the OS is silently not
> enforcing the page protections advertised by the CPU?
There is the checksec script, which I have packaged, but have yet to
get sponsored. It checks whether various kernel security features are
enabled. Other than that, perhaps a debconf warning on kernels without
NX enabled would be useful.