| 1 |
Attempt one: |
| 2 |
|
| 3 |
> 1. PaX stands for the [Pa]ge E[X]ecute right or PAGE_EXEC, which is |
| 4 |
> the symbolic name commonly used on operating systems that offer |
| 5 |
> memory protection. of course this is historical now, PaX does more |
| 6 |
> than merely create (non)executable memory pages, but that's how it |
| 7 |
> started 5 years ago. |
| 8 |
|
| 9 |
I'm ashamed. I could swear that Prevent Arbitrary eXecution was the |
| 10 |
"translation" found on the official documents, but after your comment I |
| 11 |
looked for it and didn't find it anywhere... It is obviously wrong and I need |
| 12 |
to fix it ASAP. Sorry for the mistake. |
| 13 |
|
| 14 |
> 2. you talk about preventing 'arbitrary privileges', but it's more |
| 15 |
> about preventing exploitation of memory corruption bugs. the |
| 16 |
> 'arbitrary' part comes from the assumed ability attained by the |
| 17 |
> attacker: arbitrary read/write access to the attacked process's |
| 18 |
> memory. |
| 19 |
|
| 20 |
Agree. On the other hand, the exploits aim at doing something otherwise |
| 21 |
denied, hence the privileges reference. To be fixed also. |
| 22 |
|
| 23 |
> 3. for the randomization features, PaX has also randomized the brk() |
| 24 |
> based heap for like 2 years now, it's just that i didn't get around |
| 25 |
> to document it yet. |
| 26 |
|
| 27 |
since I focus ASLR very lightly (only to say it's there), I'll add a reference |
| 28 |
to that but no more. To be fixed. |
| 29 |
|
| 30 |
> 4. some newer IA-32 CPUs do have NX support, but i haven't prepared |
| 31 |
> PaX to use it yet (on amd64 in 64 bit mode it works of course). |
| 32 |
|
| 33 |
Never heard of them. Are those the newer Xeon with 64bit extensions? |
| 34 |
|
| 35 |
> 5. it's not the writable but the present (readable) bit that makes |
| 36 |
> a page executable on IA-32. |
| 37 |
|
| 38 |
Yes, I've researched a bit and didn't get it clear. The bit we're talking here |
| 39 |
is the user/supervisor bit and it's the only one there, right? After the page |
| 40 |
walk, if the bit is set for user, it get's cached in the TLB and becomes |
| 41 |
readable/executable, right? To be fixed after clearing up. |
| 42 |
|
| 43 |
> 6. in general, instead of trying to reword the PaX docs, it's better |
| 44 |
> to include the original, you'll avoid the interpretation mistakes |
| 45 |
> that i'm in no mood to list here (it's being 2 AM and a performance |
| 46 |
> test probably just doesn't need all this extra info anyway...). |
| 47 |
|
| 48 |
Please notice that I'm not rewording the official docs to make the text seem |
| 49 |
my own! If you'd like I'll add local references for specific docs. |
| 50 |
For the article's purpose, I wanted to give a small theoretical insight to |
| 51 |
justify the results. I'll review it and say something later. |
| 52 |
|
| 53 |
> 7. the PAGEEXEC/i386 performance impact is lower than what it used |
| 54 |
> to be because a year ago i implemented a speed-up trick on 2.6 |
| 55 |
> (it's not documented yet). you can try to test 2.4 and you'll see |
| 56 |
> what i mean, especially on the P4 where the old PAGEEXEC logic |
| 57 |
> would cause a huge slowdown, maybe a 100x or on that order (so |
| 58 |
> what you observed shows just how effective the speed-up is in |
| 59 |
> real life). i don't know why the P4 is so impacted, it's probably |
| 60 |
> in part because user/kernel transitions are very slow in general, |
| 61 |
> but there must be something else as well (the PaX specific page |
| 62 |
> table manipulation maybe). |
| 63 |
|
| 64 |
I've read some postings about this in this list. Unfortunately, of the 3 |
| 65 |
testbenches I can only freely access one of them (it's mine actually). The |
| 66 |
pentium 4 and the dual opteron are computers I had access at work but: |
| 67 |
1. I don't work there no more. |
| 68 |
2. Both are in production now. |
| 69 |
So I cannot repeat the tests with kernel 2.4. It'd be interesting though. |
| 70 |
Maybe later I'll have access to a p4 again and redo that little test just for |
| 71 |
the kicks, with some info about your trick. |
| 72 |
|
| 73 |
> 8. it's interesting that you also found the same small performance |
| 74 |
> increase for SEGMEXEC/P3 that i'd observed in the past, it's really |
| 75 |
> small but consistent: userland time goes down (unexpected), kernel |
| 76 |
> goes up a bit (expected), on the order of a few seconds on a kernel |
| 77 |
> compilation. i have no explanation for this, but it's quite |
| 78 |
> reproducible (i used to think that randomization causes it but then |
| 79 |
> it affects only virtual addresses, not the physical addresses which |
| 80 |
> play a role in caching, and you didn't have randomization enabled |
| 81 |
> at all, i think). |
| 82 |
|
| 83 |
Strange that's actually a reproducible performance increase. I'll add a note |
| 84 |
on that. |
| 85 |
I found it weird also, and interpreted it as statistical error. I'll give it a |
| 86 |
try on my centrino laptop and see if it's reproducible here. |
| 87 |
|
| 88 |
> 9. SEGMEXEC/amd64 doesn't exist because the CPU itself doesn't make |
| 89 |
> it possible (nor necessary, of course), at least in 64 bit mode. |
| 90 |
> in 32 bit mode you can of course boot the normal i386 kernels and |
| 91 |
> test both non-exec methods. |
| 92 |
|
| 93 |
thanks for the explanation on that. I haven't investigated on amd64 and just |
| 94 |
gave a small explanation about why thinking about segmexec would be a waste |
| 95 |
of time really. To be fixed. |
| 96 |
|
| 97 |
> so, that's all for now, let me know when you're finished with the |
| 98 |
> page and i'll link it from the PaX doc page. |
| 99 |
|
| 100 |
If you find it good enough, please do, thanks. |
| 101 |
|
| 102 |
regards, |
| 103 |
pedro venda. |
| 104 |
-- |
| 105 |
|
| 106 |
Pedro João Lopes Venda |
| 107 |
email: pjvenda < at > arrakis.dhis.org |
| 108 |
http://arrakis.dhis.org |
Archives