To: linux-kernel@vger.kernel.org
From: Marc Bevand <bevand_m@epita.fr>
Subject: Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2
Date: Fri, 11 Jun 2004 11:50:39 +0200
Message-ID: <cabvf1$2ts$1@sea.gmane.org>
References: <04061008351700.11472@tabby> <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA2ZSI4XW+fk25FhAf9BqjtMKAAAAQAAAAFnNl61uL20Wfr6jkoh79oAEAAAAA@casabyte.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040326
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA2ZSI4XW+fk25FhAf9BqjtMKAAAAQAAAAFnNl61uL20Wfr6jkoh79oAEAAAAA@casabyte.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1185
Lines: 27

Robert White wrote:
> You are missing the model:
> 
> To enable executable stack/heap you would:
> 
> if ((fd = open("/proc/self/NX",O_RDWR)) >= 0) {
>    write(fd,"1",1);
>    close(fd);
> }
> 
> (disabling would be symmetric with "0")
> 
> Because this is a sequence of specific instructions (that shouldn't exist in the
> default library to prevent stack return hack invocation) these instructions would
> exist only in programs that want to be EX anyway.

Even such a protection model (a sequence of 3 syscalls to enable or
disable NX) can be easily bypassed by an attacker. The classic method
of return-into-libc (with a small variation that I would call
chained-returns-into-libc) still works.

As other people already said on this list: the ability to disable NX
is a *bad* thing for security.

-- 
Marc Bevand                          http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/