From: Marc Bevand <bevand_m@epita.fr>
To: linux-kernel@vger.kernel.org
Subject: Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2
Date: Fri, 11 Jun 2004 11:50:39 +0200 [thread overview]
Message-ID: <cabvf1$2ts$1@sea.gmane.org> (raw)
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA2ZSI4XW+fk25FhAf9BqjtMKAAAAQAAAAFnNl61uL20Wfr6jkoh79oAEAAAAA@casabyte.com>
Robert White wrote:
> You are missing the model:
>
> To enable executable stack/heap you would:
>
> if ((fd = open("/proc/self/NX",O_RDWR)) >= 0) {
> write(fd,"1",1);
> close(fd);
> }
>
> (disabling would be symmetric with "0")
>
> Because this is a sequence of specific instructions (that shouldn't exist in the
> default library to prevent stack return hack invocation) these instructions would
> exist only in programs that want to be EX anyway.
Even such a protection model (a sequence of 3 syscalls to enable or
disable NX) can be easily bypassed by an attacker. The classic method
of return-into-libc (with a small variation that I would call
chained-returns-into-libc) still works.
As other people already said on this list: the ability to disable NX
is a *bad* thing for security.
--
Marc Bevand http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.
next prev parent reply other threads:[~2004-06-11 9:53 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-06 6:09 WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Mike McCormack
2004-06-06 5:26 ` Ingo Molnar
2004-06-06 8:29 ` Mike McCormack
2004-06-06 7:32 ` Arjan van de Ven
2004-06-08 9:20 ` Jakub Jelinek
2004-06-08 11:15 ` Mike McCormack
2004-06-08 10:32 ` Ingo Molnar
2004-06-08 12:01 ` Mike McCormack
2004-06-09 1:40 ` John Reiser
2004-06-09 2:27 ` Paul Jackson
2004-06-06 7:32 ` Christoph Hellwig
2004-06-06 9:13 ` Mike McCormack
2004-06-06 8:10 ` Christoph Hellwig
2004-06-06 9:37 ` Mike McCormack
2004-06-06 8:39 ` Christoph Hellwig
2004-06-06 8:43 ` Christoph Hellwig
2004-06-06 10:20 ` Mike McCormack
2004-06-06 11:17 ` Felipe Alfaro Solana
2004-06-07 4:20 ` Horst von Brand
2004-06-07 14:19 ` Ingo Molnar
2004-06-08 21:50 ` Robert White
2004-06-08 21:57 ` Robert White
2004-06-09 16:53 ` Jesse Pollard
2004-06-09 20:53 ` Robert White
2004-06-10 13:35 ` Jesse Pollard
2004-06-10 21:13 ` Robert White
2004-06-11 9:50 ` Marc Bevand [this message]
2004-06-09 17:14 ` Jesper Juhl
2004-06-09 18:02 ` Evaldo Gardenali
2004-06-09 19:58 ` Felipe Alfaro Solana
2004-06-10 18:07 ` Stefanos Harhalakis
2004-06-06 11:38 ` David Woodhouse
2004-06-06 15:58 ` Mike McCormack
2004-06-07 8:49 ` David Howells
[not found] <23Y4Y-6F5-1@gated-at.bofh.it>
[not found] ` <240qb-8ir-7@gated-at.bofh.it>
[not found] ` <240Tc-gV-5@gated-at.bofh.it>
[not found] ` <2412S-pU-3@gated-at.bofh.it>
[not found] ` <24vX0-81P-7@gated-at.bofh.it>
2004-06-07 17:40 ` Andi Kleen
2004-06-08 9:42 ` Eric W. Biederman
[not found] ` <24WNz-4pO-3@gated-at.bofh.it>
2004-06-10 18:57 ` Bill Davidsen
2004-06-10 21:33 ` Robert White
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='cabvf1$2ts$1@sea.gmane.org' \
--to=bevand_m@epita.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.