From owner-freebsd-arch@FreeBSD.ORG Sun Aug 24 00:41:03 2008 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F8E4106569D for ; Sun, 24 Aug 2008 00:41:03 +0000 (UTC) (envelope-from ivoras@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.225]) by mx1.freebsd.org (Postfix) with ESMTP id 457C48FC1C for ; Sun, 24 Aug 2008 00:41:03 +0000 (UTC) (envelope-from ivoras@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1762777rvf.43 for ; Sat, 23 Aug 2008 17:41:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=H76XoxMXKlXq6CtXaXGdlgtZ7FCOjIFOYUzOhGVeZNs=; b=Rt/giRq0F0EpXxF5qZwZLNA1v62N8mP7UqXMEAXO47aiYjUZHaJzhMwKUv13kDUfHc 7lvED+T+9HFEqNzOh4Oj2wyb6BJy044+eFsQylAAVjJ1pWi6vpV88b59aJQ6ItW2PxiZ 11khd/Ihnt7Qhc56llxCpznIbRkkHOXAOp6f8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=hiaK7CuxPULF1VAx4Yd1AqNVV2eMKI0Hcx1mxhNQoMBRdO7i/UYCxyKO896QT6NQHv bOEloI8ihcAQAHcd/U1R8uJFWFahRdtsug2qu1UXgeHDSLPdqCE3cdqiFlHZpdfBz3SS pd4UzbniXu/I/qoYgSjs3x4DLyQPv9+f7kRog= Received: by 10.141.106.14 with SMTP id i14mr1351042rvm.152.1219538462782; Sat, 23 Aug 2008 17:41:02 -0700 (PDT) Received: by 10.141.153.13 with HTTP; Sat, 23 Aug 2008 17:41:02 -0700 (PDT) Message-ID: <9bbcef730808231741o5e765f3bh546475b28fe51f9b@mail.gmail.com> Date: Sun, 24 Aug 2008 02:41:02 +0200 From: "Ivan Voras" Sender: ivoras@gmail.com To: "Matthew Macy" In-Reply-To: <3c1674c90808231713x47e42de5oa9fc2f2f244d2e74@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <3c1674c90808231713x47e42de5oa9fc2f2f244d2e74@mail.gmail.com> X-Google-Sender-Auth: 56a08b51e1d7f889 Cc: freebsd-arch@freebsd.org Subject: Re: FreeBSD and DEP aka "NX bit"? X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2008 00:41:03 -0000 2008/8/24 Matthew Macy : > On Sat, Aug 23, 2008 at 5:04 PM, Ivan Voras wrote: >> I stumbled upon this Wikipedia page: >> http://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems#Security_features >> and it mentions NX bit is supported in FreeBSD. Is this true? Is it >> enabled by default? > > Yes. However, it is in the upper word so it only works with PAE or > amd64. "jemalloc" maps the heap NX and thread stacks are mapped NX. > The default process stack currently needs to be executable because > sigcode is placed at the start of the stack at the time of process > creation. Thanks! How useful is it without protecting the default stack? IIRC wasn't stack protection one of the main (marketed) bonuses for NX? (I'm thinking of the majority of currently popular server software like apache (preforked) and PostgreSQL...)