In <4cb3406e.5020...@extendedsubset.com>, Marsh Ray wrote: >On 10/10/2010 12:40 PM, Kees Cook wrote: >> On Sun, Oct 10, 2010 at 01:35:10PM -0400, Brchk05 wrote: >>> this means that my CPU supports nx but I do >>> not have the right type of kernel, i.e., one that uses PAE >>> addressing, to support enforcement (or is that part Ubuntu >>> specific). Does this sound plausible? >> >> That is quite likely, yes. If you're running 64bit, you already have >> PAE mode. If you're running 32bit, you'll need to check your kernel's >> CONFIG options for PAE. The default for 32bit is _not_ PAE mode, so >> this is probably what is happening. > >Anyone else perceive this situation as being a bit sub-optimal from the >security perspective?
No. >I'm quite certain there are lots of Debian server admins out there who >had assumed that in the year 2010 their operating system is not going to >disable the nonexecutable page protection which is built into every >modern processor. Debian server admins are running amd64, not i386, and NX is supported by default on 64-bit kernels. Even if they are running the i386 arch because of some random closed app they have to have on top of Debian, they can run the amd64 kernel. >Yes, I have always thought that PAE in general was a kludge, but the NX >bit is now a fundamental part of the process integrity provided by the >CPU. It's been available in the 2.6 kernel, and shipped in MS Windows, >since 2004. MS Windows also defaults to PAE. >What can be done to not disable page protections in the default kernel? Enable PAE. From what I understand, the features are not separable in the i386 kernel. You either suffer under PAE and get NX, or you suffer without NX and drop PAE. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
