FACTOID # 6: Michigan is ranked 22nd in land area, but since 41.27% of the state is composed of water, it jumps to 11th place in total area.
 
 Home   Encyclopedia   Statistics   States A-Z   Flags   Maps   FAQ   About 
   
 
WHAT'S NEW
 

SEARCH ALL

FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:

 

 

(* = Graphable)

 

 


Encyclopedia > NX bit

The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data, a feature normally only found in Harvard architecture processors. However, the NX bit is being increasingly used in conventional von Neumann architecture processors, for security reasons. CPU can stand for: in computing: Central processing unit in journalism: Commonwealth Press Union in law enforcement: Crime prevention unit in software: Critical patch update, a type of software patch distributed by Oracle Corporation in Macleans College is often known as Ash Lim. ... The term Harvard architecture originally referred to computer architectures that used physically separate storage and signal pathways for their instructions and data (in contrast to the von Neumann architecture). ... Design of the Von Neumann architecture For the robotic architecture also named after Von Neumann, see Von Neumann machine The von Neumann architecture is a computer design model that uses a single storage structure to hold both instructions and data. ...


Any section of memory designated with the NX attribute means that it's only to be used for storing data, so that processor instructions should not reside there, and cannot be executed if they do. The general technique, known as executable space protection, is used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section; this is known as a buffer overflow attack. In computer security, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. ... In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security. ...


Intel has decided to market the feature as the XD bit, for eXecute Disable. However, Intel's XD bit and AMD's NX bit perform the same function and are different only in name.

Contents

Hardware background

Although this sort of mechanism has been around for years in various other processor architectures such as Sun's SPARC, Alpha, IBM's PowerPC, and even Intel's IA-64 architecture (as implemented in their "Merced" or Itanium, and Itanium 2, processors), the term is actually a name created by AMD for use by its AMD64 line of processors, such as the Athlon 64 and Opteron. It seems to have now become a common term used to generically describe similar technologies in other processors. (Intel and other x86 processors included a similar capability, at the segment level, since the 80286 processor, but that memory model is treated as obsolete by modern processors and operating systems. De facto it could not be used by modern programs, and AMD re-implemented the feature, at the page level, for the Flat memory model used now.) Sun Microsystems, Inc. ... Sun UltraSPARC II Microprocessor Sun UltraSPARC T1 (Niagara 8 Core) SPARC (Scalable Processor Architecture) is a RISC microprocessor instruction set architecture originally designed in 1985 by Sun Microsystems. ... DEC Alpha AXP 21064 Microprocessor die photo Package for DEC Alpha AXP 21064 Microprocessor Alpha AXP 21064 bare die mounted on a business card with some statistics The DEC Alpha, also known as the Alpha AXP, is a 64-bit RISC microprocessor originally developed and fabricated by Digital Equipment Corp... IBM redirects here. ... PowerPC is a RISC microprocessor architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM. Originally intended for personal computers, PowerPC CPUs have since become popular embedded and high-performance processors as well. ... In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ... Itanium is the brand name for 64-bit Intel Microprocessors that implement the Intel Itanium architecture (formerly called IA-64). ... Itanium 2 logo The Itanium 2 is an IA-64 64-bit microprocessor developed jointly by Hewlett-Packard (HP) and Intel, and introduced on July 8, 2002. ... Advanced Micro Devices, Inc. ... AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ... The Athlon 64 is an eighth-generation, AMD64 architecture microprocessor produced by AMD, released on September 23, 2003[1]. It is the third processor to bear the name Athlon, and the immediate successor to the Athlon XP[2]. The second processor (after the Opteron) to implement AMD64 architecture and the... The AMD Opteron (codenamed SledgeHammer during development) was the first of AMDs eighth-generation x86 processors based on the K8 or Hammer core, and the first processor to implement the AMD64 (formerly x86-64) instruction set architecture. ... On the Intel x86 architecture, a memory segment is the portion of memory which may be addressed by a single index register without changing a 16-bit segment selector. ... In computer programming, the flat memory model is an approach to organizing memory address space. ...


The NX bit specifically refers to bit number 63 (i.e. the very last bit, if the first bit starts at number 0, in a 64-bit integer) in the paging table entry of an x86 processor. If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page, and anything residing there is assumed to be only data. Also note that these pages have to conform to the PAE page table format, rather than the original page table format for x86. Relationship between pages addressed by virtual addresses and the frames in physical memory, within a simple address space scheme. ... x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ... In computing, Physical Address Extension (PAE) refers to a feature of x86 processors that allows for up to 64 gigabytes of physical memory to be used in 32-bit systems, given appropriate operating system support. ...


Intel implemented a similar feature in its Itanium processor series in 2001, but did not bring it to the more popular x86 processors (Pentium, Celeron, Xeon families). After AMD's decision to include this functionality in its AMD64 instruction set, Intel implemented a similar feature in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core.


Software emulation of feature

Prior to the onset of this feature within the hardware, various operating systems attempted to emulate this feature through software, such as W^X or Exec Shield. They are described later in this article.


An operating system with the ability to emulate and/or take advantage of an NX bit may prevent the stack and heap memory areas from being executable, and may prevent executable memory from being writable. This helps to prevent certain buffer overflow exploits from succeeding, particularly those that inject and execute code, such as the Sasser and Blaster worms. These attacks rely on some part of memory, usually the stack, to be both writable and executable; if it is not, the attack fails. It has been suggested that Maintenance OS be merged into this article or section. ... In computer science, a call stack is a special stack which stores information about the active subroutines of a computer program. ... In computer science, dynamic memory allocation is the allocation of memory storage for use in a computer program during the runtime of that program. ... In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in a memory access exception and program termination, or in the event of the user being malicious, a possible breach of system security. ... An exploit is a common term in the computer security community to refer to a piece of software that takes advantage of a bug, glitch or vulnerability, leading to privilege escalation or denial of service on a computer system. ... The Sasser worm is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. ... The Blaster worm (a. ...


OS implementations

Many operating systems implement or have an available NX policy, and some implement or have available NX emulation. Here is a list of such systems in alphabetical order, each with technologies ordered from newest to oldest.


At the head of each technology, there is a data table which gives the major features each technology supports. The nature of these technologies warrants the expedient diffusion of information about them, and so these tables are supplied to give a summary of the text below. The table is structured as below.

  • Hardware Supported Processors: (Comma separated list of CPU architectures)
  • Emulation: (No) or (Architecture Independent) or (Comma separated list of CPU architectures)
  • Other Supported: (None) or (Comma separated list of CPU architectures)
  • Standard Distribution: (No) or (Yes) or (Comma separated list of distributions or versions which support the technology)
  • Release Date: (Date of first release)

A technology supplying Architecture Independent emulation will be functional on all processors which aren't hardware supported. The "Other Supported" line is for processors which allow some grey-area method, where an explicit NX bit doesn't exist yet hardware allows one to be emulated in some way. This article is about emulation in computer science. ...


FreeBSD

FreeBSD does support NX in FreeBSD -CURRENT since April 6, 2007. FreeBSD is a Unix-like free operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through the 386BSD and 4. ...


Mac OS X

Mac OS X for Intel supports the NX bit on all CPUs supported by Apple (from 10.4.4 – the first Intel release – onwards). Mac OS X (official IPA pronunciation: ) is a line of proprietary, graphical operating systems developed, marketed, and sold by Apple Inc. ...


Linux

Linux kernel currently supports standard hardware NX on CPUs that support it, such as the current 64-bit CPUs of AMD, Intel, Transmeta and VIA. The Linux kernel is a Unix-like operating system kernel. ...


The support for this feature in the 64-bit mode on x86_64 CPUs was added in 2004 by Andi Kleen, and later the same year, Ingo Molnar added support for the NX bit in 32-bit mode on 64-bit CPUs. These features have been in the stable Linux kernel since release 2.6.8 in August 2004. Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ... Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux kernel hacker. ...


The availability of the NX bit on 32-bit x86 kernels, which may run on both 32-bit x86 CPUs and 64-bit x86 compatible CPUs, is significant because a 32-bit x86 kernel would not normally expect the NX bit that an AMD64 or IA-64 supplies; the NX enabler patch assures that these kernels will attempt to use the NX bit if present. AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ... In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ...


Some desktop Linux distributions such as Fedora Core 6, Ubuntu and OpenSuSE do not enable the HIGHMEM64 option, which is required to gain access to the NX bit in 32-bit mode, in their default kernel; this is because the PAE mode that is required to use the NX bit causes pre-Pentium Pro (including Pentium MMX) and 400MHz bus Pentium M processors (which does not support the NX bit or PAE) to fail to boot. Fedora Core 6 does provide a kernel-PAE package which supports PAE and NX though. A Linux distribution, often simply distribution or distro, is a member of the Linux family of Unix-like operating systems comprising the Linux kernel, the non-kernel parts of the GNU operating system, and assorted other software. ... Fedora Core is an RPM-based Linux distribution, developed by the community-supported Fedora Project and sponsored by Red Hat. ... Ubuntu (IPA pronunciation ) is a predominantly desktop-oriented Linux distribution, based on Debian GNU/Linux but with a stronger focus on usability, regular releases, and ease of installation. ... openSUSE is a community project, sponsored by Novell, to develop and maintain a general purpose Linux distribution. ... The Pentium Pro is a sixth-generation x86 architecture microprocessor (P6 core) produced by Intel and was originally intended to replace the original Pentium in a full range of applications, but later, was reduced to a more narrow role as a server and high-end desktop chip. ... Introduced in March 2003, the Pentium M is an x86 architecture microprocessor designed and manufactured by Intel. ... Fedora Core is an RPM-based Linux distribution, developed by the community-supported Fedora Project and sponsored by Red Hat. ...


Non-execute functionality has also been present for other non-x86 processors supporting this functionality for many releases.


Exec Shield

Red Hat kernel developer Ingo Molnar released a Linux kernel patch named Exec Shield to approximate and utilize NX functionality on 32-bit x86 CPUs. Red Hat, Inc. ... Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux kernel hacker. ... Exec-shield is a kernel patch enabling new security features in the Linux operating system. ... 32-bit is a term applied to processors, and computer architectures which manipulate the address and data in 32-bit chunks. ...


The Exec Shield patch was released to the Linux kernel mailing list on May 2, 2003. It was rejected for merging with the base kernel because it involved some intrusive changes to core code in order to handle the complex parts of the emulation trick. The Linux kernel mailing list (LKML) is the main electronic mailing list for Linux kernel development[1][2], where majority of the announcements, discussions, debates, and flame wars over the kernel take place[3]. Many other mailing lists exist to discuss the different subsystems and ports of the Linux kernel...

In computing, a code segment, also known as a text segment or simply as text, is a phrase used to refer to a portion of memory or of an object file that contains executable computer instructions. ... It has been suggested that this article or section be merged with X86 assembly language. ... x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ... Fedora Core is an RPM-based Linux distribution, developed by the community-supported Fedora Project and sponsored by Red Hat. ... Red Hat Enterprise Linux (often abbreviated to RHEL) is a Linux distribution produced by Red Hat and targeted toward the commercial market, including mainframes. ... May 2 is the 122nd day of the year in the Gregorian calendar (123rd in leap years). ... Year 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ...

PaX

The PaX NX technology can emulate an NX bit or NX functionality, or use a hardware NX bit. PaX works on x86 CPUs that do not have the NX bit, such as 32-bit x86. In computer security, PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. ...


The PaX project originated October 1, 2000. It was later ported to 2.6, and is at the time of this writing still in active development.


The Linux kernel still does not ship with PaX (as of May, 2007); the patch must be merged manually. A kernel connects the application software to the hardware of a computer. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ...

DEC Alpha AXP 21064 Microprocessor The DEC Alpha, also known as the Alpha AXP, is a 64-bit RISC microprocessor originally developed and fabricated by Digital Equipment Corp. ... AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ... In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ... MIPS may mean: MIPS architecture, a RISC microprocessor architecture. ... PA-RISC is a microprocessor architecture developed by Hewlett-Packards Systems & VLSI Technology Operation. ... PowerPC is a RISC microprocessor architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM. Originally intended for personal computers, PowerPC CPUs have since become popular embedded and high-performance processors as well. ... Sun UltraSPARC II Microprocessor Sun UltraSPARC T1 (Niagara 8 Core) SPARC (Scalable Processor Architecture) is a RISC microprocessor instruction set architecture originally designed in 1985 by Sun Microsystems. ... It has been suggested that this article or section be merged with X86 assembly language. ... x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ... PowerPC is a RISC microprocessor architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM. Originally intended for personal computers, PowerPC CPUs have since become popular embedded and high-performance processors as well. ... Sun UltraSPARC II Microprocessor Sun UltraSPARC T1 (Niagara 8 Core) SPARC (Scalable Processor Architecture) is a RISC microprocessor instruction set architecture originally designed in 1985 by Sun Microsystems. ... Adamantix, also known as Trusted Debian, is a security focused operating system based on Debian GNU/Linux. ... Hardened Gentoo is a version of Gentoo Linux that has been enhanced with security addons. ... is the 274th day of the year (275th in leap years) in the Gregorian calendar. ... 2000 (MM) was a leap year starting on Saturday of the Gregorian calendar. ...

NetBSD

As of NetBSD 2.0 and later (December 9, 2004), architectures which support it have non-executable stack and heap. NetBSD is a freely redistributable, open source version of the Unix-like BSD computer operating system. ... is the 343rd day of the year (344th in leap years) in the Gregorian calendar. ... Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ...


Those which have per-page granularity consist of: amd64, sparc64, sparc (sun4m, sun4d), powerpc (ibm4xx), alpha, sh5, hppa.


Those which can only support these with region granularity are: powerpc (eg. macppc), i386.


Other architectures do not benefit from non-executable stack or heap, NetBSD not by default using any software emulation to offer these features.


OpenBSD

W^X

A technology in the OpenBSD operating system, known as W^X, currently takes advantage of NX technology in the AMD64 port, to have W^X fully available in hardware for these systems. W^X also (in current OpenBSD) supports W^X on CPUs without an NX bit. OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... It has been suggested that Maintenance OS be merged into this article or section. ... W^X (pronounced W xor X[1]) is the name of a security feature present in the OpenBSD operating system. ... AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ...


W^X supports the NX bit on Alpha, AMD64, HPPA, and SPARC processors (but notably, not the Intel 64 processors, early ones of which did not have the NX feature). DEC Alpha AXP 21064 Microprocessor The DEC Alpha, also known as the Alpha AXP, is a 64-bit RISC microprocessor originally developed and fabricated by Digital Equipment Corp. ... AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ... PA-RISC is a microprocessor architecture developed by Hewlett-Packards Systems & VLSI Technology Operation. ... Sun UltraSPARC II Microprocessor Sun UltraSPARC T1 (Niagara 8 Core) SPARC (Scalable Processor Architecture) is a RISC microprocessor instruction set architecture originally designed in 1985 by Sun Microsystems. ... x86-64 is a 64-bit microprocessor architecture and corresponding instruction set; it is a superset of the Intel x86 architecture, which it natively supports. ...


OpenBSD 3.3 shipped May 1, 2003, and was the first to include W^X. is the 121st day of the year (122nd in leap years) in the Gregorian calendar. ... Year 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ...

  • Hardware Supported Processors: Alpha, AMD64, HPPA, SPARC
  • Emulation: IA-32 (x86)
  • Other Supported: None
  • Standard Distribution: Yes
  • Release Date: May 1, 2003

DEC Alpha AXP 21064 Microprocessor die photo Package for DEC Alpha AXP 21064 Microprocessor Alpha AXP 21064 bare die mounted on a business card with some statistics The DEC Alpha, also known as the Alpha AXP, is a 64-bit RISC microprocessor originally developed and fabricated by Digital Equipment Corp... AMD64 Logo AMD64 (also x86-64 or x64) is a 64-bit microprocessor architecture and corresponding instruction set designed by Advanced Micro Devices. ... PA-RISC is a microprocessor architecture developed by Hewlett-Packards Systems & VLSI Technology Operation. ... Sun UltraSPARC II Microprocessor Sun UltraSPARC T1 (Niagara 8 Core) SPARC (Scalable Processor Architecture) is a RISC microprocessor instruction set architecture originally designed in 1985 by Sun Microsystems. ... It has been suggested that this article or section be merged with X86 assembly language. ... is the 121st day of the year (122nd in leap years) in the Gregorian calendar. ... Year 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ...

Solaris

Solaris has supported globally disabling stack execution on SPARC processors since Solaris 2.6 (1997); in Solaris 9 (2002), support for disabling stack execution on a per-executable basis was added. Solaris is a computer operating system developed by Sun Microsystems. ...


As of Solaris 10 (2005), NX protection is automatically enabled by default on x86 processors that support this feature. Exceptions are made for the 32-bit legacy ABI's treatment of a program's stack segment. The vast majority of programs will work without changes. However, if a program fails, the protection may be disabled via the enforce-prot-exec EEPROM option. Sun recommend that failures should be reported as program bugs.[citation needed]


Windows

Starting with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on the x86 architecture. Future versions of Windows operating systems will also support the NX bit. There are no current plans to backport it to previous versions of Windows, such as Windows 2000. Windows XP is a line of operating systems developed by Microsoft for use on general-purpose computer systems, including home and business desktops, notebook computers, and media centers. ... A Service Pack (more commonly, SP) is a software program that corrects known bugs, problems, or adds new features. ... Windows Server 2003 is a server operating system produced by Microsoft. ... x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ... Backporting is the action of taking a certain software modification (patch) and applying it to an older version of the software than it was initially created for. ... Windows 2000 (also referred to as Win2K) is a preemptive, interruptible, graphical and business-oriented operating system that was designed to work with either uniprocessor or symmetric multi-processor 32-bit Intel x86 computers. ...


Windows uses NX protection on critical Windows services exclusively by default. Under Windows XP or Server 2003, the feature is called Data Execution Prevention (abbreviated DEP), and it can be configured through the advanced properties of the "My Computer" icon. If the x86 processor supports this feature in hardware, then the NX features are turned on automatically in Windows XP/Server 2003 by default. If the feature is not supported by the x86 processor, then no protection is given. DEP controls in Windows Vista DEP causing Windows XP to end a program Data Execution Prevention (DEP) is a feature included in modern Microsoft Windows and Linux operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. ... x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ...


"Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. This is likely a countermeasure to handle an exploit possible because of the way DEP handles NX faults; while most other technologies simply terminate the program unquestioningly, DEP raises an exception. It is not possible for a program to truly recover from an attack because program flow is destroyed in an unrecoverable manner.


Unlike most other protection schemes, DEP provides no address space layout randomization, which may allow return-to-libc attacks that could feasibly be used to disable DEP during an attack. The possibility has not yet been proven on Windows specifically; but the PaX documentation elaborates on why ASLR is necessary. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3s can be known by the attacker. Microsoft added ASLR functionality into Windows Vista beta 2 to address this avenue of attack. Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process address space. ... A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. ... In computer security, PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. ... In computer science, Address space layout randomization (ASLR) is a process which entails arranging the positions of major data areas randomly in virtual address space. ... MPEG-1 Audio Layer 3, more commonly referred to as MP3, is an audio encoding format. ...


Outside of the x86 sphere, a version of NX also exists for Intel's IA-64 which is implemented into the Windows that operates that architecture. x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ... In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ...

The AMD64 or x86-64 is a 64-bit processor architecture invented by AMD. It is a superset of the x86 architecture, which it natively supports. ... In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ... The Efficeon processor is Transmetas second-generation 256-bit VLIW design which employs a software engine to convert code written for x86 processors to the native instruction set of the chip (Code Morphing Software, aka CMS). ... Introduced in March 2003, the Pentium M is an x86 architecture microprocessor designed and manufactured by Intel. ... Sempron 3000+ Sempron is AMDs newest low-end CPU. It is replacing the Duron processor, and will compete against Intels Celeron D processor. ... Windows XP is a line of operating systems developed by Microsoft for use on general-purpose computer systems, including home and business desktops, notebook computers, and media centers. ... A Service Pack (more commonly, SP) is a software program that corrects known bugs, problems, or adds new features. ... Windows Server 2003 is a server operating system produced by Microsoft. ... A Service Pack (more commonly, SP) is a software program that corrects known bugs, problems, or adds new features. ... Microsoft Windows XP Professional x64 Edition released on April 25, 2005 by Microsoft is a variation of the Windows XP operating system for x86-64 personal computers. ... Windows Vista is a line of graphical operating systems used on personal computers, including home and business desktops, notebook computers, Tablet PCs, and media centers. ... is the 218th day of the year (219th in leap years) in the Gregorian calendar. ... Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ...

Functional comparison of technologies

Here, features of the NX technologies will be compared and contrasted.


Generally, NX bit emulation is available only on x86 CPUs. The sections within dealing with emulation are concerned only with x86 CPUs unless otherwise stated.


While it has been proven that some NX bit emulation methods incur an extremely low overhead, it has also been proven that such methods can become inaccurate. On the other hand, other methods may incur an extremely high overhead and be absolutely accurate. No method has been discovered as of yet without a significant trade-off, whether in processing power, accuracy, or virtual memory space.


Overhead

Overhead is the amount of extra CPU processing power that is required for each technology to function. It is important because technologies which somehow emulate or supply an NX bit will usually impose a measurable overhead; while using a hardware supplied NX bit will impose no measurable overhead. All technologies create overhead due to the extra programming logic that must be created to control the state of the NX bit for various areas of memory; however, evaluation usually handled by the CPU itself when a hardware NX bit exists, and thus produces no overhead.


On CPUs supplying a hardware NX bit, none of the listed technologies imposes any significant measurable overhead unless explicitly noted.


Exec Shield

Exec Shield's legacy CPU support approximates (Ingo Molnar's word for it) NX emulation by tracking the upper code segment limit. This imposes only a few cycles of overhead during context switches, which is for all intents and purposes immeasurable.


PaX

PaX supplies two methods of NX bit emulation, called SEGMEXEC and PAGEEXEC. In computer security, PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. ...


The SEGMEXEC method imposes a measurable but low overhead, typically less than 1%. This is a constant scalar incurred due to the virtual memory mirroring used. SEGMEXEC also has the effect of halving the task's virtual address space, allowing the task to access less memory than it normally could. This is not a problem until the task requires access to more than half the normal address space, which is rare. SEGMEXEC does not cause programs to use more system memory (i.e. RAM); it only restricts how much they can access. On 32-bit CPUs, this becomes 1.5 GiB rather than 3 GiB. The term gib may refer to: a castrated male cat or ferret an abbreviation for gibibyte (GiB) or gibibit (Gib) an abbreviation for Gibraltar an abbreviation for Gib Board, itself an abbreviation of Gibraltar Board, all Winston Wallboards[1] tradenames for drywall (plasterboard). ...


PaX supplies a method similar to Exec Shield's approximation in the PAGEEXEC as a speedup; however, when higher memory is marked executable, this method loses its protections. In these cases, PaX falls back to the older, variable overhead method used by PAGEEXEC to protect pages below the CS limit, which may become a quite high overhead operation in certain memory access patterns.


When the PAGEEXEC method is used on a CPU supplying a hardware NX bit, the hardware NX bit is used; no emulation is used, thus no significant overhead is incurred.


Accuracy

Some technologies approximately emulate (or approximate) an NX bit on CPUs which do not support them. Others strictly emulate an NX bit for these CPUs, but decrease performance or virtual memory space significantly. Here, these methods will be compared for accuracy.


All technologies listed here are 100% accurate in the presence of a hardware NX bit, unless otherwise stated.


Exec Shield

For legacy CPUs without an NX bit, Exec Shield fails to protect pages below the code segment limit; an mprotect() call to mark higher memory, such as the stack, executable will mark all memory below that limit executable as well. Thus, in these situations, Exec Shield's schemes fails. This is the cost of Exec Shield's low overhead (see above).


PaX

SEGMEXEC does not rely on such volatile systems as that used in Exec Shield, and thus does not encounter conditions in which finegrained NX bit emulation cannot be enforced; it does, however, have the halving of virtual address space mentioned above.


PAGEEXEC will fall back to the original PAGEEXEC method used before the speed-up when data pages exist below the upper code segment limit. In both cases, PaX' emulation remains 100% accurate; no pages will become executable unless the operating system explicitly makes them as such.


It is also interesting to note that PaX supplies mprotect() restrictions to prevent programs from marking memory in ways which produce memory useful for a potential exploit. This policy causes certain applications to cease to function; but can be disabled for affected programs.


Control over restrictions

Some technologies allow executable programs to be marked so that the operating system knows to relax the restrictions imposed by the NX technology for that particular program. Various systems provide various controls; such controls are described here.


Exec Shield

Exec Shield supplies executable markings. Exec Shield only checks for two ELF header markings, which dictate whether the stack or heap needs to be executable. These are called PT_GNU_STACK and PT_GNU_HEAP, respectively. Exec Shield allows these controls to be set for both binary executables and for libraries; if an executable loads a library requiring a given restriction relaxed, the executable will inherit that marking and have that restriction relaxed.


PaX

PaX supplies fine-grained control over protections. It allows individual control over the following functions of the technology for each binary executable:

  • Executable space protections
    • PAGEEXEC
    • SEGMEXEC
  • mprotect() restrictions
  • Trampoline emulation
  • Randomized executable base
  • Randomized mmap() base

See the PaX article for more details about these restrictions.


PaX completely ignores both PT_GNU_STACK and PT_GNU_HEAP. There was a point in time when PaX had a configuration option to honor these settings; that option has henceforth been intentionally removed for security reasons, as it was deemed not useful. The same results of PT_GNU_STACK can normally be attained by disabling mprotect() restrictions, as the program will normally mprotect() the stack on load. This may not always be true; for situations where this fails, simply disabling both PAGEEXEC and SEGMEXEC will effectively remove all executable space restrictions, giving the task the same protections on its executable space as a non-PaX system.


Windows

When NX is supported, it is enabled by default. Windows allows programs to control which pages disallow execution through its API as well as through the section headers in a PE file. The software that provides the functionality described by an API is said to be an implementation of the API. The API itself is abstract, in that it specifies an interface and does not get involved with implementation details. ... The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. ...


In the API, runtime access to the NX bit is exposed through the Win32 API calls VirtualAlloc[Ex] and VirtualProtect[Ex]. In these functions, a page protection setting is specified by the programmer. Each page may be individually flagged as executable or non-executable. Despite the lack of previous x86 hardware support, both executable and non-executable page settings have been provided since the beginning. On pre-NX CPUs, the presence of the 'executable' attribute has no effect. It was documented as if it did function, and, as a result, most programmers used it properly. Windows API is a set of APIs, (application programming interfaces) available in the Microsoft Windows operating systems. ...


In the PE file format, each section can specify its executability. The execution flag has existed since the beginning of the format; standard linkers have always used this flag correctly, even long before the NX bit. Figure of the linking process, where object files and static libraries are assembled into a new library or executable. ...


Because of these things, Windows is able to enforce the NX bit on old programs. Assuming the programmer complied with "best practices", applications should work correctly now that NX is actually enforced. Only in a few cases have there been problems; Microsoft's own .NET Runtime had problems with the NX bit and was updated.


Xbox

In Microsoft's Xbox, although the CPU does not have the NX bit, newer versions of the XDK set the code segment limit to the beginning of the kernel's .data section (no code should be after this point in normal circumstances). This was probably in response to the 007: Agent Under Fire saved game exploit[citation needed]; however, this change does not fix the problem, as the memory from which the payload executes is well below the beginning of the kernel's .data section. The Xbox is a sixth generation era video game console produced by Microsoft Corporation. ... Microsoft Xbox Software Development Kit (XDK) is a video games construction kit for the Microsoft gaming system, Xbox. ... Agent Under Fire is a first-person shooter video game based on the James Bond franchise. ...


Starting with version 51xx, this change was also implemented into the kernel of new Xboxes. This broke the techniques old exploits used to become a TSR; new versions were quickly released supporting this new version because the fundamental exploit was unaffected. Terminate and Stay Resident (TSR) is a system call in DOS operating systems that returned control to the system as if the program had quit, but kept the program in memory. ...


External links


  Results from FactBites:
 
Security Ahoy! Flying the NX Flag on Windows and AMD64 To Stop Attacks (1178 words)
NX, which stands for "No Execute Bit," is a one-bit flag that goes with each entry in the memory address table.
The NX data/executable check is similar to other run-time testing the processor does to ensure that non-privileged (user) code can't access privileged (supervisor) code and data, and to prevent writes into read-only address spaces.
NX support is also going to be a part of Windows Server 2003 Service Pack 1 (you can download the second release candidate), and the forthcoming 64-bit versions of Windows XP and Windows Server 2003.
  More results at FactBites »

 
 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments

Want to know more?
Search encyclopedia, statistics and forums:

 


Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms, 1022, m