Re: http://www.smashguard.org

From: Coleman Kane (cokane_at_cokane.org)
Date: 05/01/04

  • Next message: Vincenzo Ciaglia: "LNSA-#2004-0013: Multiple Vulnerabilities in Samba"
    Date: Sat, 1 May 2004 01:56:01 +0000
    To: Pavel Machek <pavel@ucw.cz>
    
    
    

    IIRC, the "Buffer Overflow Protection" you refer to is simply the
    NX page bit (MSB), right. This simply states that that page will
    never be able to be loaded into an instruction register, basically
    stating that if EIP is within that page, you get a Trap or Fault
    of some sort.

    This is more akin to making pages that can only have permissions:
    rw- or r-- and no execute bit at all (there is also a R/RW flag on
    pages as well).

    This seperation does not really exist at the VM level on most of the
    older x86 chips. Perhaps some of the PIII/PIV/and Xeons maybe? I don't
    know about that, and sandpile.org seems to disagree with me.

    Anyhow, if you use the memory segmentation features, there is a Readable
    bit in the descriptor for a Code segment. This bit becomes the Writeable
    bit in Data (non-executable) segments. The amd64 architecture seems to
    have done away with this section of the x86's memory management, however.

    So, in effect --x is possible under that scheme, but is not supported in
    amd64's long-mode. --x is supported under current x86 tech., but I think
    it would require a humongous rewrite to a non-flat memory model for
    the vast majority of OS's that run under x86. The amd64 phase-out of it
    is also probably a nail in the coffin on this one. Perhaps having distinct
    R/W/X perms on page table entries would be helpful here. Since the systems
    only really had a concept of Read/Write memory, historically, at the VM
    level, it may not "make sense" to the processor to address memory which
    cannot be readable. How else would it actually be able to run the Fetch
    to latch in new instructions. Perhaps a "Non-Loadable" bit would make
    more sense.

    On Thu, Apr 29, 2004 at 11:55:07PM +0200, Pavel Machek wrote, and it was proclaimed:
    > Hi!
    >
    > > >The idea is not to create "custom CPUs" but to have our modification
    > > >picked up by major vendors. Clearly there is interest in applying
    > > >hardware to solve security issues based on the latest press releases
    > > >from AMD that AMD chips include buffer-overflow protection (see
    > > >Computer World, January 15, 2004).
    > > >
    > > As Theo said, the AMD buffer overflow "protection" is nothing more than
    > > sensible separation of R and X bits per page, fixing a glaring and
    >
    > Actually it is not "sensible", and it is not separation.
    >
    > You can have r--, r-x, but you can't have --x.
    > Pavel
    > --
    > 934a471f20d6580d5aad759bf0d97ddc

    
    



  • Next message: Vincenzo Ciaglia: "LNSA-#2004-0013: Multiple Vulnerabilities in Samba"

    Relevant Pages

    • Re: 16/32 processor operating mode
      ... Okay, x86 it is. ... hardware perspective, as I already mentioned, most memory accesses are ... called a "cache line") in a single operation. ... much of the data bus is active when accessing stuff on the bus. ...
      (alt.lang.asm)
    • Re: Zones in Linux
      ... called as NORMAL, DMA, HIGH memory zones. ... In that author specified that x86 won't be able to access above 868MB. ... All 32 bit x86 processors are able to access at least 4 GB of physical memory. ... With PAE, x86 processors are able to address 64GB of physical memory, although in all cases, 4GB is the virtual address range. ...
      (comp.os.linux.development.system)
    • [PATCH 3/7] Have x86 use add_active_range() and free_area_init_nodes
      ... Size zones and holes in an architecture independent manner for x86. ... -/* For each node run the memory list to determine whether there are ...
      (Linux-Kernel)
    • Re: Question about endianness in register.
      ... The ordering for strings with x86 assemblers is assembler dependent: ... The difference between big-endian and little-endian is how the data is ... Big-endian will place the first read byte into the MSB and the last read ... memory byte order when reading from memory to register. ...
      (comp.lang.asm.x86)
    • Re: cardbus driver
      ... NTOS on x86 system. ... can do a memory read multiple or memory read line? ... you are not going to see a burst read because: ... PCI memory-mapped registers are non-cacheable since PCI 2.2 (cacheable is ...
      (microsoft.public.development.device.drivers)