Perpendiculous Programming, Personal Finance, and Personal musings

2010.06.28

NX in action

Filed under: Programming — cwright @ 1:49 am

NX, or the No eXecute bit, is an interesting technology that prevents instructions on the stack from getting executed.  The reason for this is security (stack smashing becomes a bit more difficult for a would-be attacker), and the implications are typically few and far between. The way it works is by marking stack memory pages as non-executable (but still read/writable; historically, x86 only had read/write, and read implied execute).  Pretty simple stuff.

One of the more interesting aspects (on OS X at least) is that in 32bit mode, the heap is automatically executable (no need for mmap() and friends), while in 64bit mode, even the heap is NX’d.  This makes heap overflows much more difficult to exploit; you’re pretty much stuck needing to do a return-to-libc attack (which is still possible, mind you — NX does nothing to prevent that sort of attack).

Here’s some example code:

#include <stdio.h>
#include <unistd.h>

void (*f)();

int main() { void *ptr = malloc(16); memset(ptr, 0xc3, 16);    // 0xc3 = RET f = ptr;

printf("Executing from heap\n"); f(); printf("we're still alive.\n");

char buffer[16]; memset(buffer, 0xc3, 16); f = buffer; printf("next up, from the stack\n"); f(); printf("we're still alive.\n");

return 0; }

Compile using gcc nx.c -o nx -m32, and you’ll see the program crash on the “next up, from the stack” step. Swap in -m64 instead of -m32, and you’ll see it crash immediately after “Executing from the heap.”

None of this is particularly new or earth-shattering, but it’s a neat little concept to play with. For self-modifying code paths, or JIT compilers, this can be require a slight detour (though JITs should be using mmap() by now anyway).

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress