1 |
Attempt one: |
2 |
|
3 |
> 1. PaX stands for the [Pa]ge E[X]ecute right or PAGE_EXEC, which is |
4 |
> the symbolic name commonly used on operating systems that offer |
5 |
> memory protection. of course this is historical now, PaX does more |
6 |
> than merely create (non)executable memory pages, but that's how it |
7 |
> started 5 years ago. |
8 |
|
9 |
I'm ashamed. I could swear that Prevent Arbitrary eXecution was the |
10 |
"translation" found on the official documents, but after your comment I |
11 |
looked for it and didn't find it anywhere... It is obviously wrong and I need |
12 |
to fix it ASAP. Sorry for the mistake. |
13 |
|
14 |
> 2. you talk about preventing 'arbitrary privileges', but it's more |
15 |
> about preventing exploitation of memory corruption bugs. the |
16 |
> 'arbitrary' part comes from the assumed ability attained by the |
17 |
> attacker: arbitrary read/write access to the attacked process's |
18 |
> memory. |
19 |
|
20 |
Agree. On the other hand, the exploits aim at doing something otherwise |
21 |
denied, hence the privileges reference. To be fixed also. |
22 |
|
23 |
> 3. for the randomization features, PaX has also randomized the brk() |
24 |
> based heap for like 2 years now, it's just that i didn't get around |
25 |
> to document it yet. |
26 |
|
27 |
since I focus ASLR very lightly (only to say it's there), I'll add a reference |
28 |
to that but no more. To be fixed. |
29 |
|
30 |
> 4. some newer IA-32 CPUs do have NX support, but i haven't prepared |
31 |
> PaX to use it yet (on amd64 in 64 bit mode it works of course). |
32 |
|
33 |
Never heard of them. Are those the newer Xeon with 64bit extensions? |
34 |
|
35 |
> 5. it's not the writable but the present (readable) bit that makes |
36 |
> a page executable on IA-32. |
37 |
|
38 |
Yes, I've researched a bit and didn't get it clear. The bit we're talking here |
39 |
is the user/supervisor bit and it's the only one there, right? After the page |
40 |
walk, if the bit is set for user, it get's cached in the TLB and becomes |
41 |
readable/executable, right? To be fixed after clearing up. |
42 |
|
43 |
> 6. in general, instead of trying to reword the PaX docs, it's better |
44 |
> to include the original, you'll avoid the interpretation mistakes |
45 |
> that i'm in no mood to list here (it's being 2 AM and a performance |
46 |
> test probably just doesn't need all this extra info anyway...). |
47 |
|
48 |
Please notice that I'm not rewording the official docs to make the text seem |
49 |
my own! If you'd like I'll add local references for specific docs. |
50 |
For the article's purpose, I wanted to give a small theoretical insight to |
51 |
justify the results. I'll review it and say something later. |
52 |
|
53 |
> 7. the PAGEEXEC/i386 performance impact is lower than what it used |
54 |
> to be because a year ago i implemented a speed-up trick on 2.6 |
55 |
> (it's not documented yet). you can try to test 2.4 and you'll see |
56 |
> what i mean, especially on the P4 where the old PAGEEXEC logic |
57 |
> would cause a huge slowdown, maybe a 100x or on that order (so |
58 |
> what you observed shows just how effective the speed-up is in |
59 |
> real life). i don't know why the P4 is so impacted, it's probably |
60 |
> in part because user/kernel transitions are very slow in general, |
61 |
> but there must be something else as well (the PaX specific page |
62 |
> table manipulation maybe). |
63 |
|
64 |
I've read some postings about this in this list. Unfortunately, of the 3 |
65 |
testbenches I can only freely access one of them (it's mine actually). The |
66 |
pentium 4 and the dual opteron are computers I had access at work but: |
67 |
1. I don't work there no more. |
68 |
2. Both are in production now. |
69 |
So I cannot repeat the tests with kernel 2.4. It'd be interesting though. |
70 |
Maybe later I'll have access to a p4 again and redo that little test just for |
71 |
the kicks, with some info about your trick. |
72 |
|
73 |
> 8. it's interesting that you also found the same small performance |
74 |
> increase for SEGMEXEC/P3 that i'd observed in the past, it's really |
75 |
> small but consistent: userland time goes down (unexpected), kernel |
76 |
> goes up a bit (expected), on the order of a few seconds on a kernel |
77 |
> compilation. i have no explanation for this, but it's quite |
78 |
> reproducible (i used to think that randomization causes it but then |
79 |
> it affects only virtual addresses, not the physical addresses which |
80 |
> play a role in caching, and you didn't have randomization enabled |
81 |
> at all, i think). |
82 |
|
83 |
Strange that's actually a reproducible performance increase. I'll add a note |
84 |
on that. |
85 |
I found it weird also, and interpreted it as statistical error. I'll give it a |
86 |
try on my centrino laptop and see if it's reproducible here. |
87 |
|
88 |
> 9. SEGMEXEC/amd64 doesn't exist because the CPU itself doesn't make |
89 |
> it possible (nor necessary, of course), at least in 64 bit mode. |
90 |
> in 32 bit mode you can of course boot the normal i386 kernels and |
91 |
> test both non-exec methods. |
92 |
|
93 |
thanks for the explanation on that. I haven't investigated on amd64 and just |
94 |
gave a small explanation about why thinking about segmexec would be a waste |
95 |
of time really. To be fixed. |
96 |
|
97 |
> so, that's all for now, let me know when you're finished with the |
98 |
> page and i'll link it from the PaX doc page. |
99 |
|
100 |
If you find it good enough, please do, thanks. |
101 |
|
102 |
regards, |
103 |
pedro venda. |
104 |
-- |
105 |
|
106 |
Pedro João Lopes Venda |
107 |
email: pjvenda < at > arrakis.dhis.org |
108 |
http://arrakis.dhis.org |