| View previous topic :: View next topic |
| Author |
Message |
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
 Posted: Wed Feb 02, 2005 3:45 pm Post subject: amd 64 NX (no eXecution) feature |
 |
|
hi,
how can i test if nx feature is applied successfull for my opteron box?
dmesg says following:
| Code: |
# dmesg | egrep -i "nx|exec"
Bootdata ok (command line is root=/dev/sda5 noexec=all,on)
Kernel command line: root=/dev/sda5 noexec=all,on console=tty0
|
But NX quick-start guide (http://people.redhat.com/mingo/nx-patches/QuickStart-NX.txt) says:
| Code: |
- upon bootup, if your CPU supports NX, you should see this boot message:
NX (Execute Disable) protection: active
|
A grep in the the kernel source (2.6.10) shows this:
| Code: |
# grep -r "Execute Disable) protection" .
./arch/i386/mm/init.c: printk("NX (Execute Disable) protection: active\n");
|
Why not in x86_64? |
|
| Back to top |
|
 |
ewan.paton
Veteran
Joined: 29 Jul 2003
Posts: 1219
Location: glasgow, scotland
|
| Posted: Wed Feb 02, 2005 4:47 pm Post subject: |
|
|
from what i remeber it was merged into the standard kernel about 2.6.8 because linus was a big fan of it, it may be that all x86_64 chips have this feature so they dont need to display a message just like sparcs etc.
while i was looking into it i believe the gentoo devs have patched one of the big progs to also take advantage of it, i think it was glibc as i was thinking this may have been why the latest icc didnt work
_________________
Giay tay nam | Giay nam cao cap | Giay luoi |
|
| Back to top |
|
|
nukem996
l33t
Joined: 13 Nov 2003
Posts: 776
|
| Posted: Thu Feb 03, 2005 3:03 am Post subject: |
|
|
| What would the AMD nx feature do? Just prevent buffer overflows? Since im running a desktop with an AMD 3500+ would it be worth it to turn it on? Is it just on in the kernel? |
|
| Back to top |
|
|
ewan.paton
Veteran
Joined: 29 Jul 2003
Posts: 1219
Location: glasgow, scotland
|
| Posted: Thu Feb 03, 2005 3:18 am Post subject: |
|
|
the nx bit is basicly a hardware way to prevent a type of software hack called a buffer overflow, wikipedia has a nice explanation of it and a link to the nx on the same page linkage
http://en.wikipedia.org/wiki/Buffer_overflow
edit i should add acording to wikipedia the patch was mainlined in 2.6.8 but im not bothered enough to go through the changelogs to check.
_________________
Giay tay nam | Giay nam cao cap | Giay luoi |
|
| Back to top |
|
|
lightvhawk0
Guru
Joined: 07 Nov 2003
Posts: 388
|
| Posted: Thu Feb 03, 2005 5:57 am Post subject: |
|
|
| ewan.paton wrote: | the nx bit is basicly a hardware way to prevent a type of software hack called a buffer overflow, wikipedia has a nice explanation of it and a link to the nx on the same page linkage
http://en.wikipedia.org/wiki/Buffer_overflow
edit i should add acording to wikipedia the patch was mainlined in 2.6.8 but im not bothered enough to go through the changelogs to check. |
actually i think its only a certain type of buffer overflow
_________________
If God has made us in his image, we have returned him the favor. - Voltaire |
|
| Back to top |
|
|
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
| Posted: Thu Feb 03, 2005 9:05 am Post subject: |
|
|
| so, how to test if nx is working? |
|
| Back to top |
|
|
gringo
Advocate
Joined: 27 Apr 2003
Posts: 3793
|
|
| Back to top |
|
|
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
| Posted: Thu Feb 03, 2005 9:52 am Post subject: |
|
|
if you read my first post you will see something like this:
 |
|
| Back to top |
|
|
Evil Dark Archon
Guru
Joined: 21 Dec 2002
Posts: 562
Location: Santa Rosa, CA
|
| Posted: Thu Feb 03, 2005 10:36 am Post subject: |
|
|
that text file only refers to the 32bit version (note the perenthisized comment at the top of the file)
_________________
This post has been over explained for newb-informing purposes.
Registered Linux user 347334
Abit AV8-3rd eye, AMD Athlon64 3500+ 90nm, ATI Radeon x850 pro |
|
| Back to top |
|
|
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
| Posted: Thu Feb 03, 2005 10:50 am Post subject: |
|
|
| so i assume that it is enabled without marking (dmesg, ..)?! |
|
| Back to top |
|
|
>Octoploid<
n00b
Joined: 27 Jun 2004
Posts: 57
|
| Posted: Thu Feb 03, 2005 4:21 pm Post subject: |
|
|
Why don't you just read Documentation/x86_64/boot-options.txt ?
There you would find:
| Quote: |
Non Executable Mappings
noexec=on|off
on Enable(default)
off Disable
|
|
|
| Back to top |
|
|
gringo
Advocate
Joined: 27 Apr 2003
Posts: 3793
|
| Posted: Thu Feb 03, 2005 4:40 pm Post subject: |
|
|
| smack wrote: | if you read my first post you will see something like this:
|
ooops, sorry 
| Quote: | Why don't you just read Documentation/x86_64/boot-options.txt ?
There you would find:
Cita:
Non Executable Mappings
noexec=on|off
on Enable(default)
off Disable |
right, NX is activated by default, but there are no messages in the bootlog referring to this, shoudnt there be at least something saying its loaded or not ?
I will check this when im back at home, but i think i cant see anything in my logs too.
cheers |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Thu Feb 03, 2005 9:49 pm Post subject: |
|
|
| lightvhawk0 wrote: | | ewan.paton wrote: | | the nx bit is basicly a hardware way to prevent a type of software hack called a buffer overflow |
actually i think its only a certain type of buffer overflow |
noexec bits don't prevent buffer overflows. The memory stack is there to provide scratch space afterall, so it's pointless to prevent anything from writing to it.
What noexec bits prevent is a method of exploiting buffer overflows.
In C and C++ the stack is used to store information on function calls; it holds passed variables, local variables, and most importantly, the return vector -- the pointer that tells the function where to go back to when it returns. The stack is all writable and grows downwards, so if a local buffer in a function is overflowed, it is possible to overwrite the data with whataver you want, and the return vector with whatever you want. This makes it possible for an attacker to overflow the buffer, overwrite the function call frame with a few small instructions and a carefully crafted return vector, and have the foreign code in the stack be executed when the function returns.
With the noexec bit, you can't do that anymore, since the stack is not executable.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
petlab
Apprentice
Joined: 03 May 2004
Posts: 290
Location: Armpit, Oregon
|
| Posted: Thu Feb 03, 2005 11:11 pm Post subject: |
|
|
Yeah, I have opterons too. If you check out [url]hardened.gentoo.org[/url] you can learn lots more about nx stuff -
Using the hardened toolchain (gcc, glibc, etc) and / or PaX and /or grsecurity can make it so that your executables also use nx.
You can adjust which binaries can use nx, and if the kernel uses it, etc. Mostly really useful in servers.
HTH
_________________
Get Serious - Get JAWA CZ |
|
| Back to top |
|
|
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
| Posted: Fri Feb 04, 2005 9:41 am Post subject: |
|
|
ok.
I can see if cpu supports nx by looking at /proc/cpuinfo.
| Code: |
# grep nx /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 pni syscall nx mmxext lm 3dnowext 3dnow
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 pni syscall nx mmxext lm 3dnowext 3dnow
|
Support for x86_64 is enabled by default or passing noexec=on to the kernel (no extra options in kernel configuration for x86_64).
Switching it off by passing noexec=off.
In /proc/$pid/maps, i can see if mappings have x set or not.
For example:
crontab is SUID 0
| Code: |
# ls -l `which crontab`
-rwsr-x--- 1 root cron 34000 Jan 11 23:04 /usr/bin/crontab
|
by opening crontab (crontab -e) and looking for maps in /proc i can see that crontab is mapped executeable.
| Code: |
# head -n 5 /proc/`pidof crontab`/maps
00400000-00408000 r-xp 00000000 08:08 16371 /usr/bin/crontab
00507000-00508000 rw-p 00007000 08:08 16371 /usr/bin/crontab
00508000-00538000 rw-p 00508000 00:00 0
2a95556000-2a9556b000 r-xp 00000000 08:05 63603 /lib/ld-2.3.4.so
2a9556b000-2a9556d000 rw-p 2a9556b000 00:00 0
|
how can i turn this off and assign SUID binaries a read-only mapping?
i want my server to support this NoeXecution mappings for binaries where possible.
i will read on at http://hardened.gentoo.org .. |
|
| Back to top |
|
|
smack
n00b
Joined: 09 Dec 2004
Posts: 18
|
| Posted: Fri Feb 04, 2005 10:28 am Post subject: |
|
|
btw. i have a grsec/pax patched kernel running.
| Code: |
# uname -r
2.6.10-grsec
|
by running chpax on crontab i get the following:
| Code: |
# chpax -v `which crontab`
----[ chpax 0.7 : Current flags for /usr/bin/crontab (PeMRxs) ]----
* Paging based PAGE_EXEC : enabled
* Trampolines : not emulated
* mprotect() : restricted
* mmap() base : randomized
* ET_EXEC base : randomized
* Segmentation based PAGE_EXEC : enabled
|
|
|
| Back to top |
|
|
petlab
Apprentice
Joined: 03 May 2004
Posts: 290
Location: Armpit, Oregon
|
| Posted: Fri Feb 04, 2005 9:48 pm Post subject: |
|
|
oyah - I wasn't sure.
I'm liking grsecurity. I am using 2.6.10-hardened-r3 and have grsec, PaX going. I think it is much easier to use than SELinux, I know that SE can be really secure, but it was "too hard" for me to learn policy so much.
_________________
Get Serious - Get JAWA CZ |
|
| Back to top |
|
|
|
Gentoo on AMD64
