--On den 31 mars 2003 19:52 -0500 Jim Magee <jmagee(a)apple.com> wrote:
Implement what?
We already mark all stacks as read-write-noexecute. But, as I just said,
"the hardware can't honor it." Do you want us to change the PowerPC
architecture?
Yes, wherever it has shortcomings, I would like you to! :-)
Or do you think it is worth taking 256MB of virtual address space from
each task and making it no-execute, and then forcing all stacks to be in
there (requiring many/most programs to be re-built to adapt to it)?
I haven't read up on the ppc mmu, but if I understand you
correctly:
Yes, I do believe I would prefer the loss of 256MB virtual address
space before having the entire memory space executable.
What is the limit today, 2.5G or something? How many apps
fits well in 2.5G but absolutely not in 2.25G? Sure, more
space to apps is good, but if you are that close you will
probably have to take other measures to handle it anyway.
/ragge
_______________________________________________
darwin-kernel mailing list | darwin-kernel(a)lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.
On Monday, March 31, 2003, at 7:10 PM, Ragnar Sundblad wrote:
--On Sun, 30 Mar 2003 23:35:01 -0500 Jim Magee <jmagee(a)apple.com>
wrote:
I think you need to read that again. The effect of the no-execute bit
is discussed on a page basis, but the bit itself is only settable at
the segment level. So, you have to give up 256 MB section(s) of your
address space to non-execute status, and you have to assure all stacks
are in that range. That was deemed too restrictive at the time.
...
I really do think that darwin should have at least non-executable
stack, but preferably code should only run from where it has
been explicitely allowed to. This os is supposed to also be
handled by people who don't have 24 hour watch of CERT advisories.
How much work would it be to implement this? Will apple look
into doing it?
Implement what?
We already mark all stacks as read-write-noexecute. But, as I just
said, "the hardware can't honor it." Do you want us to change the
PowerPC architecture?
Or do you think it is worth taking 256MB of virtual address space from
each task and making it no-execute, and then forcing all stacks to be
in there (requiring many/most programs to be re-built to adapt to it)?
We are already under pressure to release some of our reserved address
space back to application control. I don't think this will go over all
that well with those folks.
--Jim
_______________________________________________
darwin-kernel mailing list | darwin-kernel(a)lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.
--On Sun, 30 Mar 2003 23:35:01 -0500 Jim Magee <jmagee(a)apple.com> wrote:
I think you need to read that again. The effect of the no-execute bit
is discussed on a page basis, but the bit itself is only settable at
the segment level. So, you have to give up 256 MB section(s) of your
address space to non-execute status, and you have to assure all stacks
are in that range. That was deemed too restrictive at the time.
That seems rather unfortunate. As we all know, buffer overflow
problems are really common. Maybe it even is _the_ most frequent
unix security hole currently.
I believe that some or all of the X-bsds has taken steps to
disallow running code also from data space, which would make
overwriting a return address and jump into a data buffer
tricky too.
I really do think that darwin should have at least non-executable
stack, but preferably code should only run from where it has
been explicitely allowed to. This os is supposed to also be
handled by people who don't have 24 hour watch of CERT advisories.
How much work would it be to implement this? Will apple look
into doing it?
/ragge
_______________________________________________
darwin-kernel mailing list | darwin-kernel(a)lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.