OoOoOoO Posted December 8, 2006 Share Posted December 8, 2006 Some interesting info about nx-bit in xnu taken from Mac OS X Internals: A Systems Approach By Amit Singh ............................................... Publisher: Addison Wesley Professional A.7.2. Nonexecutable Stack The processors used in the x86-based Macintosh computers support a per-page nonexecutable bit, which can be used to implement a nonexecutable stack. The latter is one approach to countering the stack overflow class of security attacks. The approach can be generalized to making any kind of buffers nonexecutable, so that even if an attacker manages to introduce rogue code into a program's address space, it simply cannot be executed. This bit is enabled on the x86 version of Mac OS X. The program shown in Figure A5 attempts to "execute" the stack, which contains illegal instructions (all zeros). The program will fail with an illegal instruction error on the PowerPC. In contrast, on the x86, access to the memory would be disallowed for execution, and the program would fail with a bus error. Figure A5. Testing a nonexecutable stack on the x86 version of Mac OS X // runstack.c #include <sys/types.h> typedef void (* funcp_t)(void); int main(void) { funcp_t funcp; uint32_t stackarray[] = { 0 }; funcp = (funcp_t)stackarray; funcp(); return 0; } $ gcc -Wall -o runstack runstack.c $ machine ppc970 $ ./runstack zsh: illegal hardware instruction ./runstack $ machine i486 $ ./runstack Bus error Note, however, that a program can programmatically change a page's protection value to allow for execution. For example, the vm_protect() Mach call (see Chapter 8 for details) can be used for this purpose. // stackarray not executable ... vm_protect(mach_task_self(), stackarray, 4, FALSE, VM_PROT_ALL); // stackarray executable now ... cel d 315, myself built kernel without nonx patch result in Illegal instruction O.O . Link to comment Share on other sites More sharing options...
Recommended Posts