About Ubuntu security

Kees Cook kees at ubuntu.com
Tue Jul 31 00:03:00 UTC 2007


On Mon, Jul 30, 2007 at 05:51:28PM -0400, Rick Clark wrote:
> NX support for 32 bit requires the HIGHMEM64 option to be enabled in the
> kernel.  Unfortunately, this makes some 32 bit processors fail to boot.
> I think it is worth discussing enabling it, as most of the processors
> that fail are either very old or laptop centric.

Additionally, only more recent ia32 processors support the nx bit when
in PAE mode (HIGHMEM64).  You can check with:

cat /proc/cpuinfo | grep ^flags | grep nx

> This list is an excellent place to give an opinion, though.  I
> personally like PaX, especially its ability to simulate NX, on
> unsupported hardware. This would allow us to get around the 32 bit
> problem.

I'm a fan of the execshield segmentation patches, but Ubuntu has
traditionally not had the resources to carry the delta for this.  With
the other mitigation systems in place, I'm less worried about this
"gap" in coverage.  Besides, if an attacker can gain control of a
program's stack, they can still use text ret-chaining to execute
"arbitrary" code[1].  This is why I've been focusing on getting text
ASLR working again instead of looking at the segmentation patches.

If someone could take on the task of getting the segmentation patches
taken by upstream, I would be very grateful.

-Kees

[1] http://www.suse.de/~krahmer/no-nx.pdf

-- 
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20070730/79cbaf9d/attachment.pgp>


More information about the ubuntu-server mailing list