From owner-freebsd-arch@FreeBSD.ORG Sun Aug 24 00:51:08 2008 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C81B91065684 for ; Sun, 24 Aug 2008 00:51:08 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by mx1.freebsd.org (Postfix) with ESMTP id A091D8FC21 for ; Sun, 24 Aug 2008 00:51:08 +0000 (UTC) (envelope-from mat.macy@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1766273rvf.43 for ; Sat, 23 Aug 2008 17:51:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=eBiHuy0zueW6kV/WXAYUMNMLL4x+coNbGJH8mLCTik8=; b=knwoVcRXxPNYbrzzgAbDqDokYit2IbWEnAcI4IluGHaR6GB+GZom1bpnBB0nLIWdoK 6TqmFxGEdxyQMdrDj9Sbq4oV1kqzMM6/srOHYSNNNxaChNwax4aqD9BMv8m7JX0Dc96W cah5Wa7fyyg181/FDRiVIYkbdM8pOW8tr2u20= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=kgmVcP5AvFZLtWYjJ7EgBPUO8AoGPBcbRvICLCMHkiZdaUA6m4TkaN1I2IemrKExDD 0W4xkexS1x+c8bC1doAsb41iaEbIkFITpBxa+kAbkla5dSJ346I82MZvM15TZky3M5pr 5J/Fwrv4vG8Dk/RnjvrS1edOj6l5vQRrSsDiY= Received: by 10.141.29.21 with SMTP id g21mr1342861rvj.248.1219539067799; Sat, 23 Aug 2008 17:51:07 -0700 (PDT) Received: by 10.141.101.21 with HTTP; Sat, 23 Aug 2008 17:51:07 -0700 (PDT) Message-ID: <3c1674c90808231751h3d11d52at2eac1eb21cd8940b@mail.gmail.com> Date: Sat, 23 Aug 2008 17:51:07 -0700 From: "Kip Macy" Sender: mat.macy@gmail.com To: "Ivan Voras" In-Reply-To: <9bbcef730808231741o5e765f3bh546475b28fe51f9b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <3c1674c90808231713x47e42de5oa9fc2f2f244d2e74@mail.gmail.com> <9bbcef730808231741o5e765f3bh546475b28fe51f9b@mail.gmail.com> X-Google-Sender-Auth: 03fe686ac1e7b6b7 Cc: freebsd-arch@freebsd.org Subject: Re: FreeBSD and DEP aka "NX bit"? X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2008 00:51:08 -0000 On Sat, Aug 23, 2008 at 5:41 PM, Ivan Voras wrote: > 2008/8/24 Matthew Macy : >> On Sat, Aug 23, 2008 at 5:04 PM, Ivan Voras wrote: >>> I stumbled upon this Wikipedia page: >>> http://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems#Security_features >>> and it mentions NX bit is supported in FreeBSD. Is this true? Is it >>> enabled by default? >> >> Yes. However, it is in the upper word so it only works with PAE or >> amd64. "jemalloc" maps the heap NX and thread stacks are mapped NX. >> The default process stack currently needs to be executable because >> sigcode is placed at the start of the stack at the time of process >> creation. > > Thanks! > > How useful is it without protecting the default stack? IIRC wasn't > stack protection one of the main (marketed) bonuses for NX? (I'm > thinking of the majority of currently popular server software like > apache (preforked) and PostgreSQL...) FreeBSD could certainly take better advantage of it. It also doesn't help that the default process stack always starts at the same address. However, SSP does mitigate some of the risk. -Kip