Executable space protection
Encyclopedia
In computer security
, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code
in these regions will cause an exception
. It makes use of hardware features such as the NX bit
.
The Burroughs 5000 offered hardware support for executable space protection when it was introduced in 1961; that capability was retained in its successors at least through 2006. In its implementation of tagged architecture
, each word of memory had an associated, hidden tag bit designating it code or data. Thus, user programs cannot write or even read a program word, and data words cannot be executed.
If an operating system
can mark some or all writable regions of memory as non-executable, it may be able to prevent the stack
and heap memory areas from being executable. This helps to prevent certain buffer overflow
exploits from succeeding, particularly those that inject and execute code, such as the Sasser and Blaster worms. These attacks rely on some part of memory, usually the stack, being both writable and executable; if it is not, the attack fails.
For some technologies, there is a summary which gives the major features each technology supports. The summary is structured as below.
A technology supplying Architecture Independent emulation
will be functional on all processors which aren't hardware supported. The "Other Supported" line is for processors which allow some grey-area method, where an explicit NX bit doesn't exist yet hardware allows one to be emulated in some way.
, on x86-64
and x86 processors that support it, first appeared in FreeBSD
-CURRENT on June 8, 2004. It has been in FreeBSD releases since the 5.3 release.
currently supports the NX bit on x86-64
CPUs and on x86 processors that support it, such as the current 64-bit CPUs of AMD, Intel, Transmeta and VIA.
The support for this feature in the 64-bit mode on x86-64 CPUs was added in 2004 by Andi Kleen, and later the same year, Ingo Molnar
added support for it in 32-bit mode on 64-bit CPUs. These features have been in the stable Linux kernel since release 2.6.8 in August 2004.
The availability of the NX bit on 32-bit x86 kernels, which may run on both 32-bit x86 CPUs and 64-bit x86 compatible CPUs, is significant because a 32-bit x86 kernel would not normally expect the NX bit that an AMD64 or IA-64 supplies; the NX enabler patch assures that these kernels will attempt to use the NX bit if present.
Some desktop Linux distribution
s such as Fedora Core 6, Ubuntu
and openSUSE
do not enable the HIGHMEM64 option by default, which is required to gain access to the NX bit in 32-bit mode, in their default kernel; this is because the PAE
mode that is required to use the NX bit causes pre-Pentium Pro
(including Pentium MMX) and Celeron M and Pentium M
processors without NX support to fail to boot. Other processors that do not support PAE are AMD K6
and earlier, Transmeta Crusoe
, VIA C3
and earlier, and Geode
GX and LX. VMware Workstation
versions older than 4.0, Parallels Workstation
versions older than 4.0, and Microsoft Virtual PC
and Virtual Server
do not support PAE on the guest. Fedora Core 6 and Ubuntu 9.10 and later provide a kernel-PAE package which supports PAE and NX.
NX memory protection has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel (linux-image-generic-pae) in Ubuntu 9.10 and later, also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory.
Non-execute functionality has also been present for other non-x86 processors supporting this functionality for many releases.
kernel developer Ingo Molnar
released a Linux kernel patch named Exec Shield
to approximate and utilize NX functionality on 32-bit
x86 CPUs.
The Exec Shield patch was released to the Linux kernel mailing list
on May 2, 2003. It was rejected for merging with the base kernel because it involved some intrusive changes to core code in order to handle the complex parts of the emulation trick.
NX technology can emulate an NX bit or NX functionality, or use a hardware NX bit. PaX works on x86 CPUs that do not have the NX bit, such as 32-bit x86.
The PaX project originated October 1, 2000. It was later ported to 2.6, and is at the time of this writing still in active development.
The Linux kernel still does not ship with PaX (as of May, 2007); the patch must be merged manually.
for Intel supports the NX bit on all CPUs supported by Apple (from 10.4.4 – the first Intel release – onwards). Mac OS X 10.4 only supported NX stack protection. In Mac OS X 10.5, all 64-bit executables have NX stack and heap; W^X protection. This includes x86-64
(Core 2 or later) and 64-bit PowerPC
on the G5
Macs.
2.0 and later (December 9, 2004), architectures which support it have non-executable stack and heap.
Those that have per-page granularity consist of: alpha, amd64, hppa, i386 (with PAE), powerpc (ibm4xx), sh5, sparc (sun4m, sun4d), sparc64.
Those that can only support these with region granularity are: i386 (without PAE), powerpc (e.g. macppc).
Other architectures do not benefit from non-executable stack or heap; NetBSD does not by default use any software emulation to offer these features on those architectures.
operating system
, known as W^X, marks writable pages by default as non-executable on processors that support that. On 32-bit x86 processors, the code segment is set to include only part of the address space, to provide some level of executable space protection.
OpenBSD 3.3 shipped May 1, 2003, and was the first to include W^X.
has supported globally disabling stack execution on SPARC processors since Solaris 2.6 (1997); in Solaris 9 (2002), support for disabling stack execution on a per-executable basis was added.
As of Solaris 10 (2005), use of the NX bit is automatically enabled by default on x86 processors that support this feature. Exceptions are made for the 32-bit legacy ABI's treatment of a program's stack segment. The vast majority of programs will work without changes. However, if a program fails, the protection may be disabled via the enforce-prot-exec EEPROM option. Sun recommend that failures should be reported as program bugs.
Service Pack
2 and Windows Server 2003
Service Pack 1, the NX features were implemented for the first time on the x86 architecture.
Microsoft Windows uses NX protection on critical Windows service
s exclusively by default. Under Windows XP or Server 2003, the feature is called Data Execution Prevention
(abbreviated DEP), and it can be configured through the advanced tab of "System" properties. If the x86 processor supports this feature in hardware, then the NX features are turned on automatically in Windows XP/Server 2003 by default. If the feature is not supported by the x86 processor, then no protection is given.
"Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it.
Early implementations of DEP provided no address space layout randomization
(ASLR), which allowed potential return-to-libc attack
s that could have been feasibly used to disable DEP during an attack. The PaX
documentation elaborates on why ASLR is necessary; a proof-of-concept was produced detailing a method by which DEP could be circumvented in the absence of ASLR. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3
s can be known by the attacker. Microsoft added ASLR functionality in Windows Vista
and Windows Server 2008 to address this avenue of attack.
Outside of the x86 sphere, a version of NX also exists for Intel's IA-64 which is implemented in Windows on that architecture.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code
Machine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
in these regions will cause an exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
. It makes use of hardware features such as the NX bit
NX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
.
The Burroughs 5000 offered hardware support for executable space protection when it was introduced in 1961; that capability was retained in its successors at least through 2006. In its implementation of tagged architecture
Tagged architecture
In computer science, a tagged architecture is a particular type of computer architecture where every word of memory constitutes a tagged union, being divided into a number of bits of data, and a tag section that describes the type of the data: how it is to be interpreted, and, if it is a reference,...
, each word of memory had an associated, hidden tag bit designating it code or data. Thus, user programs cannot write or even read a program word, and data words cannot be executed.
If an operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
can mark some or all writable regions of memory as non-executable, it may be able to prevent the stack
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack"...
and heap memory areas from being executable. This helps to prevent certain buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
exploits from succeeding, particularly those that inject and execute code, such as the Sasser and Blaster worms. These attacks rely on some part of memory, usually the stack, being both writable and executable; if it is not, the attack fails.
OS implementations
Many operating systems implement or have an available executable space protection policy. Here is a list of such systems in alphabetical order, each with technologies ordered from newest to oldest.For some technologies, there is a summary which gives the major features each technology supports. The summary is structured as below.
- Hardware Supported Processors: (Comma separated list of CPU architectures)
- Emulation: (No) or (Architecture Independent) or (Comma separated list of CPU architectures)
- Other Supported: (None) or (Comma separated list of CPU architectures)
- Standard Distribution: (No) or (Yes) or (Comma separated list of distributions or versions which support the technology)
- Release Date: (Date of first release)
A technology supplying Architecture Independent emulation
Emulator
In computing, an emulator is hardware or software or both that duplicates the functions of a first computer system in a different second computer system, so that the behavior of the second system closely resembles the behavior of the first system...
will be functional on all processors which aren't hardware supported. The "Other Supported" line is for processors which allow some grey-area method, where an explicit NX bit doesn't exist yet hardware allows one to be emulated in some way.
FreeBSD
Initial support for the NX bitNX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
, on x86-64
X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
and x86 processors that support it, first appeared in FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
-CURRENT on June 8, 2004. It has been in FreeBSD releases since the 5.3 release.
Linux
Linux kernelLinux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
currently supports the NX bit on x86-64
X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
CPUs and on x86 processors that support it, such as the current 64-bit CPUs of AMD, Intel, Transmeta and VIA.
The support for this feature in the 64-bit mode on x86-64 CPUs was added in 2004 by Andi Kleen, and later the same year, Ingo Molnar
Ingo Molnar
Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux hacker. He is best known for his contributions to the operating system in terms of security and performance...
added support for it in 32-bit mode on 64-bit CPUs. These features have been in the stable Linux kernel since release 2.6.8 in August 2004.
The availability of the NX bit on 32-bit x86 kernels, which may run on both 32-bit x86 CPUs and 64-bit x86 compatible CPUs, is significant because a 32-bit x86 kernel would not normally expect the NX bit that an AMD64 or IA-64 supplies; the NX enabler patch assures that these kernels will attempt to use the NX bit if present.
Some desktop Linux distribution
Linux distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...
s such as Fedora Core 6, Ubuntu
Ubuntu (operating system)
Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
and openSUSE
OpenSUSE
openSUSE is a general purpose operating system built on top of the Linux kernel, developed by the community-supported openSUSE Project and sponsored by SUSE...
do not enable the HIGHMEM64 option by default, which is required to gain access to the NX bit in 32-bit mode, in their default kernel; this is because the PAE
Physical Address Extension
In computing, Physical Address Extension is a feature to allow x86 processors to access a physical address space larger than 4 gigabytes....
mode that is required to use the NX bit causes pre-Pentium Pro
Pentium Pro
The Pentium Pro is a sixth-generation x86 microprocessor developed and manufactured by Intel introduced in November 1, 1995 . It introduced the P6 microarchitecture and was originally intended to replace the original Pentium in a full range of applications...
(including Pentium MMX) and Celeron M and Pentium M
Pentium M
The Pentium M brand refers to a family of mobile single-core x86 microprocessors introduced in March 2003 , and forming a part of the Intel Carmel notebook platform under the then new Centrino brand...
processors without NX support to fail to boot. Other processors that do not support PAE are AMD K6
AMD K6
The K6 microprocessor was launched by AMD in 1997. The main advantage of this particular microprocessor is that it was designed to fit into existing desktop designs for Pentium branded CPUs. It was marketed as a product which could perform as well as its Intel Pentium II equivalent but at a...
and earlier, Transmeta Crusoe
Transmeta Crusoe
The Crusoe is a family of x86-compatible microprocessors developed by Transmeta. Crusoe was notable for its method of achieving x86 compatibility. Instead of the instruction set architecture being implemented in hardware, or translated by specialized hardware, the Crusoe runs a software abstraction...
, VIA C3
VIA C3
The VIA C3 is a family of x86 central processing units for personal computers designed by Centaur Technology and sold by VIA Technologies. The different CPU cores are built following the design methodology of Centaur Technology.-Samuel 2 and Ezra cores:...
and earlier, and Geode
Geode
Geodes are geological secondary sedimentary structures which occur in sedimentary and certain volcanic rocks. Geodes are essentially spherical masses of mineral matter that were deposited sygenetically within the rock formations they are found in. Geodes have a Chalcedony shell containing...
GX and LX. VMware Workstation
VMware Workstation
VMware Workstation is a virtual machine software suite for x86 and x86-64 computers from VMware, a division of EMC Corporation, which allows users to set up multiple x86 and x86-64 virtual machines and use one or more of these virtual machines simultaneously with the hosting operating system...
versions older than 4.0, Parallels Workstation
Parallels Workstation
Parallels Workstation is the first commercial software product released by Parallels, Inc., a developer of desktop and server virtualization software...
versions older than 4.0, and Microsoft Virtual PC
Microsoft Virtual PC
Windows Virtual PC is a virtualization program for Microsoft Windows. In July 2006 Microsoft released the Windows-hosted version as a free product...
and Virtual Server
Microsoft Virtual Server
Microsoft Virtual Server is a virtualization solution that facilitates the creation of virtual machines on the Windows XP, Windows Vista and Windows Server 2003 operating systems. Originally developed by Connectix, it was acquired by Microsoft prior to release...
do not support PAE on the guest. Fedora Core 6 and Ubuntu 9.10 and later provide a kernel-PAE package which supports PAE and NX.
NX memory protection has always been available in Ubuntu for any systems that had the hardware to support it and ran the 64-bit kernel or the 32-bit server kernel. The 32-bit PAE desktop kernel (linux-image-generic-pae) in Ubuntu 9.10 and later, also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation that can help block many exploits an attacker might run from stack or heap memory.
Non-execute functionality has also been present for other non-x86 processors supporting this functionality for many releases.
Exec Shield
Red HatRed Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
kernel developer Ingo Molnar
Ingo Molnar
Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux hacker. He is best known for his contributions to the operating system in terms of security and performance...
released a Linux kernel patch named Exec Shield
Exec Shield
Exec Shield is a project started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that emulates an NX bit on x86 CPUs that lack a native NX...
to approximate and utilize NX functionality on 32-bit
32-bit
The range of integer values that can be stored in 32 bits is 0 through 4,294,967,295. Hence, a processor with 32-bit memory addresses can directly access 4 GB of byte-addressable memory....
x86 CPUs.
The Exec Shield patch was released to the Linux kernel mailing list
Linux kernel mailing list
The Linux kernel mailing list is the main electronic mailing list for Linux kernel development, where the majority of the announcements, discussions, debates, and flame wars over the kernel take place. Many other mailing lists exist to discuss the different subsystems and ports of the Linux...
on May 2, 2003. It was rejected for merging with the base kernel because it involved some intrusive changes to core code in order to handle the complex parts of the emulation trick.
- Hardware Supported Processors: All that Linux supports NX on
- Emulation: NX approximation using the code segmentCode segmentIn computing, a code segment, also known as a text segment or simply as text, is one of the sections of a program in an object file or in memory, which contains executable instructions....
limit on IA-32IA-32IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
(x86) and compatible - Other Supported: None
- Standard Distribution: Fedora Core and Red Hat Enterprise LinuxRed Hat Enterprise LinuxRed Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
- Release Date: May 2, 2003
PaX
The PaXPaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
NX technology can emulate an NX bit or NX functionality, or use a hardware NX bit. PaX works on x86 CPUs that do not have the NX bit, such as 32-bit x86.
The PaX project originated October 1, 2000. It was later ported to 2.6, and is at the time of this writing still in active development.
The Linux kernel still does not ship with PaX (as of May, 2007); the patch must be merged manually.
- Hardware Supported Processors: AlphaDEC AlphaAlpha, originally known as Alpha AXP, is a 64-bit reduced instruction set computer instruction set architecture developed by Digital Equipment Corporation , designed to replace the 32-bit VAX complex instruction set computer ISA and its implementations. Alpha was implemented in microprocessors...
, AMD64, IA-64, MIPSMIPS architectureMIPS is a reduced instruction set computer instruction set architecture developed by MIPS Technologies . The early MIPS architectures were 32-bit, and later versions were 64-bit...
(32 and 64 bit), PA-RISCPA-RISCPA-RISC is an instruction set architecture developed by Hewlett-Packard. As the name implies, it is a reduced instruction set computer architecture, where the PA stands for Precision Architecture...
, PowerPCPowerPCPowerPC is a RISC architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM...
, SPARCSPARCSPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987.... - Emulation: IA-32IA-32IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
(x86) - Other Supported: PowerPCPowerPCPowerPC is a RISC architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM...
(32 and 64 bit), SPARCSPARCSPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987....
(32 and 64 bit) - Standard Distribution: Adamantix, Hardened GentooHardened GentooHardened Gentoo is a project of Gentoo Linux that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:*SELinux**A system of mandatory access controls...
, Hardened Linux, Alpine LinuxAlpine LinuxAlpine Linux is a Linux distribution based on uClibc and BusyBox, which has the goal of being lightweight and secure by default while still being useful for general-purpose tasks. Alpine Linux uses PaX and grsecurity patches in the default kernel and compiles all packages with stack-smashing... - Release Date: October 1, 2000
Mac OS X
Mac OS XMac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
for Intel supports the NX bit on all CPUs supported by Apple (from 10.4.4 – the first Intel release – onwards). Mac OS X 10.4 only supported NX stack protection. In Mac OS X 10.5, all 64-bit executables have NX stack and heap; W^X protection. This includes x86-64
X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
(Core 2 or later) and 64-bit PowerPC
PowerPC
PowerPC is a RISC architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM...
on the G5
PowerPC 970
The PowerPC 970, PowerPC 970FX, PowerPC 970GX, and PowerPC 970MP, are 64-bit Power Architecture processors from IBM introduced in 2002. When used in Apple Inc. machines, they were dubbed the PowerPC G5....
Macs.
NetBSD
As of NetBSDNetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
2.0 and later (December 9, 2004), architectures which support it have non-executable stack and heap.
Those that have per-page granularity consist of: alpha, amd64, hppa, i386 (with PAE), powerpc (ibm4xx), sh5, sparc (sun4m, sun4d), sparc64.
Those that can only support these with region granularity are: i386 (without PAE), powerpc (e.g. macppc).
Other architectures do not benefit from non-executable stack or heap; NetBSD does not by default use any software emulation to offer these features on those architectures.
W^X
A technology in the OpenBSDOpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
, known as W^X, marks writable pages by default as non-executable on processors that support that. On 32-bit x86 processors, the code segment is set to include only part of the address space, to provide some level of executable space protection.
OpenBSD 3.3 shipped May 1, 2003, and was the first to include W^X.
- Hardware Supported Processors: AlphaDEC AlphaAlpha, originally known as Alpha AXP, is a 64-bit reduced instruction set computer instruction set architecture developed by Digital Equipment Corporation , designed to replace the 32-bit VAX complex instruction set computer ISA and its implementations. Alpha was implemented in microprocessors...
, AMD64, HPPAPA-RISCPA-RISC is an instruction set architecture developed by Hewlett-Packard. As the name implies, it is a reduced instruction set computer architecture, where the PA stands for Precision Architecture...
, SPARCSPARCSPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987.... - Emulation: IA-32IA-32IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
(x86) - Other Supported: None
- Standard Distribution: Yes
- Release Date: May 1, 2003
Solaris
SolarisSolaris Operating System
Solaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
has supported globally disabling stack execution on SPARC processors since Solaris 2.6 (1997); in Solaris 9 (2002), support for disabling stack execution on a per-executable basis was added.
As of Solaris 10 (2005), use of the NX bit is automatically enabled by default on x86 processors that support this feature. Exceptions are made for the 32-bit legacy ABI's treatment of a program's stack segment. The vast majority of programs will work without changes. However, if a program fails, the protection may be disabled via the enforce-prot-exec EEPROM option. Sun recommend that failures should be reported as program bugs.
Android
As of Android 2.3 and later, architectures which support it have non-executable pages by default, including non-executable stack and heap.Windows
Starting with Windows XPWindows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
Service Pack
Service pack
A service pack is a collection of updates, fixes or enhancements to a software program delivered in the form of a single installable package. Many companies, such as Microsoft or Autodesk, typically release a service pack when the number of individual patches to a given program reaches a certain ...
2 and Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
Service Pack 1, the NX features were implemented for the first time on the x86 architecture.
Microsoft Windows uses NX protection on critical Windows service
Windows Service
On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
s exclusively by default. Under Windows XP or Server 2003, the feature is called Data Execution Prevention
Data Execution Prevention
Data Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
(abbreviated DEP), and it can be configured through the advanced tab of "System" properties. If the x86 processor supports this feature in hardware, then the NX features are turned on automatically in Windows XP/Server 2003 by default. If the feature is not supported by the x86 processor, then no protection is given.
"Software DEP" is unrelated to the NX bit, and is what Microsoft calls their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it.
Early implementations of DEP provided no address space layout randomization
Address space layout randomization
Address space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
(ASLR), which allowed potential return-to-libc attack
Return-to-libc attack
A return-to-libc attack is a computer security attack usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function...
s that could have been feasibly used to disable DEP during an attack. The PaX
PaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
documentation elaborates on why ASLR is necessary; a proof-of-concept was produced detailing a method by which DEP could be circumvented in the absence of ASLR. It may be possible to develop a successful attack if the address of prepared data such as corrupted images or MP3
MP3
MPEG-1 or MPEG-2 Audio Layer III, more commonly referred to as MP3, is a patented digital audio encoding format using a form of lossy data compression...
s can be known by the attacker. Microsoft added ASLR functionality in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows Server 2008 to address this avenue of attack.
Outside of the x86 sphere, a version of NX also exists for Intel's IA-64 which is implemented in Windows on that architecture.
- Hardware Supported Processors: x86-64X86-64x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
(AMD64 and Intel 64), IA-64, EfficeonEfficeonThe Efficeon processor is Transmeta's second-generation 256-bit VLIW design which employs a software engine to convert code written for x86 processors to the native instruction set of the chip...
, Pentium MPentium MThe Pentium M brand refers to a family of mobile single-core x86 microprocessors introduced in March 2003 , and forming a part of the Intel Carmel notebook platform under the then new Centrino brand...
(later revisions), AMD Sempron (later revisions) - Emulation: No
- Other Supported: None
- Standard Distribution: Windows XPWindows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
Service Pack 2, Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
Service Pack 1, Windows XP Professional x64 EditionWindows XP Professional x64 EditionMicrosoft Windows XP Professional x64 Edition released on April 25, 2005 is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture....
, Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs... - Release Date: August 6, 2004