From: Marc Bevand <bevand_m@epita.fr>
To: linux-kernel@vger.kernel.org
Subject: Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2
Date: Fri, 11 Jun 2004 11:50:39 +0200 [thread overview]
Message-ID: <cabvf1$2ts$1@sea.gmane.org> (raw)
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA2ZSI4XW+fk25FhAf9BqjtMKAAAAQAAAAFnNl61uL20Wfr6jkoh79oAEAAAAA@casabyte.com>
Robert White wrote:
> You are missing the model:
>
> To enable executable stack/heap you would:
>
> if ((fd = open("/proc/self/NX",O_RDWR)) >= 0) {
> write(fd,"1",1);
> close(fd);
> }
>
> (disabling would be symmetric with "0")
>
> Because this is a sequence of specific instructions (that shouldn't exist in the
> default library to prevent stack return hack invocation) these instructions would
> exist only in programs that want to be EX anyway.
Even such a protection model (a sequence of 3 syscalls to enable or
disable NX) can be easily bypassed by an attacker. The classic method
of return-into-libc (with a small variation that I would call
chained-returns-into-libc) still works.
As other people already said on this list: the ability to disable NX
is a *bad* thing for security.
--
Marc Bevand http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.
next prev parent reply other threads:[~2004-06-11 9:53 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-06 6:09 WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2 Mike McCormack
2004-06-06 5:26 ` Ingo Molnar
2004-06-06 8:29 ` Mike McCormack
2004-06-06 7:32 ` Arjan van de Ven
2004-06-08 9:20 ` Jakub Jelinek
2004-06-08 11:15 ` Mike McCormack
2004-06-08 10:32 ` Ingo Molnar
2004-06-08 12:01 ` Mike McCormack
2004-06-09 1:40 ` John Reiser
2004-06-09 2:27 ` Paul Jackson
2004-06-06 7:32 ` Christoph Hellwig
2004-06-06 9:13 ` Mike McCormack
2004-06-06 8:10 ` Christoph Hellwig
2004-06-06 9:37 ` Mike McCormack
2004-06-06 8:39 ` Christoph Hellwig
2004-06-06 8:43 ` Christoph Hellwig
2004-06-06 10:20 ` Mike McCormack
2004-06-06 11:17 ` Felipe Alfaro Solana
2004-06-07 4:20 ` Horst von Brand
2004-06-07 14:19 ` Ingo Molnar
2004-06-08 21:50 ` Robert White
2004-06-08 21:57 ` Robert White
2004-06-09 16:53 ` Jesse Pollard
2004-06-09 20:53 ` Robert White
2004-06-10 13:35 ` Jesse Pollard
2004-06-10 21:13 ` Robert White
2004-06-11 9:50 ` Marc Bevand [this message]
2004-06-09 17:14 ` Jesper Juhl
2004-06-09 18:02 ` Evaldo Gardenali
2004-06-09 19:58 ` Felipe Alfaro Solana
2004-06-10 18:07 ` Stefanos Harhalakis
2004-06-06 11:38 ` David Woodhouse
2004-06-06 15:58 ` Mike McCormack
2004-06-07 8:49 ` David Howells
[not found] <23Y4Y-6F5-1@gated-at.bofh.it>
[not found] ` <240qb-8ir-7@gated-at.bofh.it>
[not found] ` <240Tc-gV-5@gated-at.bofh.it>
[not found] ` <2412S-pU-3@gated-at.bofh.it>
[not found] ` <24vX0-81P-7@gated-at.bofh.it>
2004-06-07 17:40 ` Andi Kleen
2004-06-08 9:42 ` Eric W. Biederman
[not found] ` <24WNz-4pO-3@gated-at.bofh.it>
2004-06-10 18:57 ` Bill Davidsen
2004-06-10 21:33 ` Robert White
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='cabvf1$2ts$1@sea.gmane.org' \
--to=bevand_m@epita.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox