On 10/10/2010 12:40 PM, Kees Cook wrote:
On Sun, Oct 10, 2010 at 01:35:10PM -0400, Brchk05 wrote:this means that my CPU supports nx but I do not have the right type of kernel, i.e., one that uses PAE addressing, to support enforcement (or is that part Ubuntu specific). Does this sound plausible?That is quite likely, yes. If you're running 64bit, you already have PAE mode. If you're running 32bit, you'll need to check your kernel's CONFIG options for PAE. The default for 32bit is _not_ PAE mode, so this is probably what is happening.
Anyone else perceive this situation as being a bit sub-optimal from the security perspective?
I'm quite certain there are lots of Debian server admins out there who had assumed that in the year 2010 their operating system is not going to disable the nonexecutable page protection which is built into every modern processor.
Yes, I have always thought that PAE in general was a kludge, but the NX bit is now a fundamental part of the process integrity provided by the CPU. It's been available in the 2.6 kernel, and shipped in MS Windows, since 2004.
What can be done to not disable page protections in the default kernel?What can be done to at least warn users that the OS is silently not enforcing the page protections advertised by the CPU?
- Marsh