| 1 |
On 14 Aug 2005 at 12:20, Pedro Venda wrote: |
| 2 |
> > 2. you talk about preventing 'arbitrary privileges', but it's more |
| 3 |
> > about preventing exploitation of memory corruption bugs. the |
| 4 |
> > 'arbitrary' part comes from the assumed ability attained by the |
| 5 |
> > attacker: arbitrary read/write access to the attacked process's |
| 6 |
> > memory. |
| 7 |
> |
| 8 |
> Agree. On the other hand, the exploits aim at doing something otherwise |
| 9 |
> denied, hence the privileges reference. To be fixed also. |
| 10 |
|
| 11 |
that's true, but it states more than what PaX actually does and |
| 12 |
from past experience, people tend to mistunderstand too broad |
| 13 |
descriptions and expect more than what's actually achieved (and |
| 14 |
that is dangerous for them). |
| 15 |
|
| 16 |
> > 4. some newer IA-32 CPUs do have NX support, but i haven't prepared |
| 17 |
> > PaX to use it yet (on amd64 in 64 bit mode it works of course). |
| 18 |
> |
| 19 |
> Never heard of them. Are those the newer Xeon with 64bit extensions? |
| 20 |
|
| 21 |
well, it's kinda mixed thanks to Intel's infinite wisdom to |
| 22 |
backport a mix of features into the IA-32 line. so you have |
| 23 |
actually CPUs that have 64 bit support but no NX and also CPUs |
| 24 |
without 64 bit support but with NX. at |
| 25 |
|
| 26 |
http://developer.intel.com/products/processor_number/info.htm |
| 27 |
|
| 28 |
there's an up-to-date CPU chart that tells you which CPU supports |
| 29 |
what exactly. as of this writing the URL is: |
| 30 |
|
| 31 |
http://developer.intel.com/products/processor_number/proc_info_table080905.pdf |
| 32 |
|
| 33 |
hmm, actually looking at this table i can't find now a 64-bit |
| 34 |
CPU without NX, but i have these memories that their initial |
| 35 |
64 bit CPUs didn't have NX, maybe they were never actually sold... |
| 36 |
|
| 37 |
> > 5. it's not the writable but the present (readable) bit that makes |
| 38 |
> > a page executable on IA-32. |
| 39 |
> |
| 40 |
> Yes, I've researched a bit and didn't get it clear. The bit we're talking here |
| 41 |
> is the user/supervisor bit and it's the only one there, right? |
| 42 |
|
| 43 |
depends on what you mean by 'here' ;-). if you mean the PAGEEXEC |
| 44 |
logic, then it's indeed the user/supervisor bit that is used for |
| 45 |
the executable bit, but if you mean what makes a page executable |
| 46 |
without PAGEEXEC (and i believe the above statement was for that |
| 47 |
case as you said: "These simpler MMUs overload one bit for WRITE/EXEC |
| 48 |
permission settings, so every WRITEable page can also be EXECutable.") |
| 49 |
then it's the present bit which makes a page both readable and |
| 50 |
executable (and since a writable page has to be present (readable) |
| 51 |
as well, it will be executable too, but that's just a sideeffect |
| 52 |
of its being readable). |
| 53 |
|
| 54 |
> After the page walk, if the bit is set for user, it get's cached |
| 55 |
> in the TLB and becomes readable/executable, right? |
| 56 |
|
| 57 |
correct (readable/executable depending on which TLB gets filled by |
| 58 |
the table walk). |
| 59 |
|
| 60 |
> > 6. in general, instead of trying to reword the PaX docs, it's better |
| 61 |
> > to include the original, you'll avoid the interpretation mistakes |
| 62 |
> > that i'm in no mood to list here (it's being 2 AM and a performance |
| 63 |
> > test probably just doesn't need all this extra info anyway...). |
| 64 |
> |
| 65 |
> Please notice that I'm not rewording the official docs to make the text seem |
| 66 |
> my own! If you'd like I'll add local references for specific docs. |
| 67 |
> For the article's purpose, I wanted to give a small theoretical insight to |
| 68 |
> justify the results. I'll review it and say something later. |
| 69 |
|
| 70 |
i didn't mean to imply that you were making the PaX docs appear as |
| 71 |
your own, just that if you wish to talk about PaX internals, then |
| 72 |
either be correct and precise or just quote or link to the original. |
| 73 |
|
| 74 |
and i still maintain that a performance test probably doesn't need |
| 75 |
all these low-level implementation details, as the reader would then |
| 76 |
also have to know IA-32 protected mode programming inside out... |
| 77 |
|
| 78 |
-- |
| 79 |
gentoo-hardened@g.o mailing list |
Archives