[ubuntu-hardened] NX bit and generic-pae kernel.
Kees Cook
kees at ubuntu.com
Mon Apr 8 00:10:02 UTC 2013
On Sun, Apr 07, 2013 at 10:04:33PM +0200, Daniel Curtis wrote:
> So generally it is better to have NX protection enabled,
> right? This link, which you provided, explains a lot about
> NX bit, thank you.
Yes; it's important. Making data memory non-executable means it is harder
for an attacker to take advantage of a security flaw. It changes the
nature of how vulnerabilities can be exploited.
> Oh, by the way; it seems, that generic-pae kernel runs great
> on computer/system with 1 GB of RAM memory. I heard a lot
> of opinions, that there must be at least 4 GB of RAM memory.
There's almost nothing that makes PAE worse for a system. NX is a
by-product of using PAE. The primary reason people use it is to be able
to address >3GB of RAM. Not all 32-bit CPUs support PAE, but those are
very very old systems.
So, between the rareness of CPUs that don't support PAE, the RAM
addressing benefits, NX benefits, and the barely-measurable performance
hit from having it enabled, PAE is the default on Ubuntu now.
-Kees
--
Kees Cook
More information about the ubuntu-hardened
mailing list