1 |
On 8 Aug 2005 at 17:23, Pedro Venda wrote: |
2 |
> I've written a small document describing a simple benchmark of the PaX memory |
3 |
> protections overhead on different x86 CPUs. There is a theoretical section |
4 |
> where I try to explain what do PAGEEXEC and SEGMEXEC actually do, there is |
5 |
> the benchmark itself and some notes on the results. |
6 |
> |
7 |
> http://arrakis.dhis.org/linux/doc/pax-performance/ |
8 |
> |
9 |
> Hoping to get back some comments but mostly wrong or misleading data reports. |
10 |
|
11 |
first of all, a big thank you for doing this work, it was badly |
12 |
missing from the PaX docs. below i'll comment on a few things: |
13 |
|
14 |
1. PaX stands for the [Pa]ge E[X]ecute right or PAGE_EXEC, which is |
15 |
the symbolic name commonly used on operating systems that offer |
16 |
memory protection. of course this is historical now, PaX does more |
17 |
than merely create (non)executable memory pages, but that's how it |
18 |
started 5 years ago. |
19 |
|
20 |
2. you talk about preventing 'arbitrary privileges', but it's more |
21 |
about preventing exploitation of memory corruption bugs. the |
22 |
'arbitrary' part comes from the assumed ability attained by the |
23 |
attacker: arbitrary read/write access to the attacked process's |
24 |
memory. |
25 |
|
26 |
3. for the randomization features, PaX has also randomized the brk() |
27 |
based heap for like 2 years now, it's just that i didn't get around |
28 |
to document it yet. |
29 |
|
30 |
4. some newer IA-32 CPUs do have NX support, but i haven't prepared |
31 |
PaX to use it yet (on amd64 in 64 bit mode it works of course). |
32 |
|
33 |
5. it's not the writable but the present (readable) bit that makes |
34 |
a page executable on IA-32. |
35 |
|
36 |
6. in general, instead of trying to reword the PaX docs, it's better |
37 |
to include the original, you'll avoid the interpretation mistakes |
38 |
that i'm in no mood to list here (it's being 2 AM and a performance |
39 |
test probably just doesn't need all this extra info anyway...). |
40 |
|
41 |
7. the PAGEEXEC/i386 performance impact is lower than what it used |
42 |
to be because a year ago i implemented a speed-up trick on 2.6 |
43 |
(it's not documented yet). you can try to test 2.4 and you'll see |
44 |
what i mean, especially on the P4 where the old PAGEEXEC logic |
45 |
would cause a huge slowdown, maybe a 100x or on that order (so |
46 |
what you observed shows just how effective the speed-up is in |
47 |
real life). i don't know why the P4 is so impacted, it's probably |
48 |
in part because user/kernel transitions are very slow in general, |
49 |
but there must be something else as well (the PaX specific page |
50 |
table manipulation maybe). |
51 |
|
52 |
8. it's interesting that you also found the same small performance |
53 |
increase for SEGMEXEC/P3 that i'd observed in the past, it's really |
54 |
small but consistent: userland time goes down (unexpected), kernel |
55 |
goes up a bit (expected), on the order of a few seconds on a kernel |
56 |
compilation. i have no explanation for this, but it's quite |
57 |
reproducible (i used to think that randomization causes it but then |
58 |
it affects only virtual addresses, not the physical addresses which |
59 |
play a role in caching, and you didn't have randomization enabled |
60 |
at all, i think). |
61 |
|
62 |
9. SEGMEXEC/amd64 doesn't exist because the CPU itself doesn't make |
63 |
it possible (nor necessary, of course), at least in 64 bit mode. |
64 |
in 32 bit mode you can of course boot the normal i386 kernels and |
65 |
test both non-exec methods. |
66 |
|
67 |
so, that's all for now, let me know when you're finished with the |
68 |
page and i'll link it from the PaX doc page. |
69 |
|
70 |
-- |
71 |
gentoo-hardened@g.o mailing list |