1 |
On 14 Aug 2005 at 12:20, Pedro Venda wrote: |
2 |
> > 2. you talk about preventing 'arbitrary privileges', but it's more |
3 |
> > about preventing exploitation of memory corruption bugs. the |
4 |
> > 'arbitrary' part comes from the assumed ability attained by the |
5 |
> > attacker: arbitrary read/write access to the attacked process's |
6 |
> > memory. |
7 |
> |
8 |
> Agree. On the other hand, the exploits aim at doing something otherwise |
9 |
> denied, hence the privileges reference. To be fixed also. |
10 |
|
11 |
that's true, but it states more than what PaX actually does and |
12 |
from past experience, people tend to mistunderstand too broad |
13 |
descriptions and expect more than what's actually achieved (and |
14 |
that is dangerous for them). |
15 |
|
16 |
> > 4. some newer IA-32 CPUs do have NX support, but i haven't prepared |
17 |
> > PaX to use it yet (on amd64 in 64 bit mode it works of course). |
18 |
> |
19 |
> Never heard of them. Are those the newer Xeon with 64bit extensions? |
20 |
|
21 |
well, it's kinda mixed thanks to Intel's infinite wisdom to |
22 |
backport a mix of features into the IA-32 line. so you have |
23 |
actually CPUs that have 64 bit support but no NX and also CPUs |
24 |
without 64 bit support but with NX. at |
25 |
|
26 |
http://developer.intel.com/products/processor_number/info.htm |
27 |
|
28 |
there's an up-to-date CPU chart that tells you which CPU supports |
29 |
what exactly. as of this writing the URL is: |
30 |
|
31 |
http://developer.intel.com/products/processor_number/proc_info_table080905.pdf |
32 |
|
33 |
hmm, actually looking at this table i can't find now a 64-bit |
34 |
CPU without NX, but i have these memories that their initial |
35 |
64 bit CPUs didn't have NX, maybe they were never actually sold... |
36 |
|
37 |
> > 5. it's not the writable but the present (readable) bit that makes |
38 |
> > a page executable on IA-32. |
39 |
> |
40 |
> Yes, I've researched a bit and didn't get it clear. The bit we're talking here |
41 |
> is the user/supervisor bit and it's the only one there, right? |
42 |
|
43 |
depends on what you mean by 'here' ;-). if you mean the PAGEEXEC |
44 |
logic, then it's indeed the user/supervisor bit that is used for |
45 |
the executable bit, but if you mean what makes a page executable |
46 |
without PAGEEXEC (and i believe the above statement was for that |
47 |
case as you said: "These simpler MMUs overload one bit for WRITE/EXEC |
48 |
permission settings, so every WRITEable page can also be EXECutable.") |
49 |
then it's the present bit which makes a page both readable and |
50 |
executable (and since a writable page has to be present (readable) |
51 |
as well, it will be executable too, but that's just a sideeffect |
52 |
of its being readable). |
53 |
|
54 |
> After the page walk, if the bit is set for user, it get's cached |
55 |
> in the TLB and becomes readable/executable, right? |
56 |
|
57 |
correct (readable/executable depending on which TLB gets filled by |
58 |
the table walk). |
59 |
|
60 |
> > 6. in general, instead of trying to reword the PaX docs, it's better |
61 |
> > to include the original, you'll avoid the interpretation mistakes |
62 |
> > that i'm in no mood to list here (it's being 2 AM and a performance |
63 |
> > test probably just doesn't need all this extra info anyway...). |
64 |
> |
65 |
> Please notice that I'm not rewording the official docs to make the text seem |
66 |
> my own! If you'd like I'll add local references for specific docs. |
67 |
> For the article's purpose, I wanted to give a small theoretical insight to |
68 |
> justify the results. I'll review it and say something later. |
69 |
|
70 |
i didn't mean to imply that you were making the PaX docs appear as |
71 |
your own, just that if you wish to talk about PaX internals, then |
72 |
either be correct and precise or just quote or link to the original. |
73 |
|
74 |
and i still maintain that a performance test probably doesn't need |
75 |
all these low-level implementation details, as the reader would then |
76 |
also have to know IA-32 protected mode programming inside out... |
77 |
|
78 |
-- |
79 |
gentoo-hardened@g.o mailing list |