Exploiting Linux vulnerabilities 8129

On Sunday 22 January 2006 05:05, GreyCloud stood up and spoke the following words to the mbuttes incomp.os.linux.advocacy...:

And we could even add - although I'm sure that Erik knows this as well by now - that the Linux kernel can make use of a software-implementedNXbit on IA32 when the kernel is compiled for 64 GB memory support.

For those who don't follow the logic...: If a 32-bit Linux kernel has support for up to 64 GB of physical memory - this is possible only on i686 and above - the CPU must be running in PAE mode, i.e. "Physical Address Extension". In PAE mode, the CPU uses 36 bits for memory addressing, which are of course used in a paged mode - typically with 3 GB of virtual address space for each process - as the kernel can only use 32 bits at once.

When the CPU is running in PAE mode, the Linux kernel can implement anNXbit via software on IA32. IA32 is the only modern microprocessor that still doesn't have anNXimplementation in hardware. IA32-64 and IA64 do have that feature in hardware, but it can of course only be used when they're running in 64-bit mode.

For those who have a genuine IA64 - i.e. the Itanium or Itanium-2 - or who have an IA32-64 CPU - such as AMD64 or EM64T - and who wish to run a 32-bit version of GNU-Linux, PAE is of course also available there.

The default choice in the Linux kernel is to useNXwhenever possible, i.e. via hardware when in 64-bit mode on a 64-bit CPU, via software when the CPU is in 32-bit PAE mode. It would take a boot parameter to disable it, and I can't imagine anyone wanting to disable it.

As far as I know, only special corporate versions of Windows - 2003 Server and above, probably - have support for up to 64 GB of physical memory and thus for PAE. The natively 64-bit versions of Windows do of course also feature support for a hardwareNXimplementation.

I do however not know whether Windows implements a softwareNXbit on its 32-bit 64 GB-supporting versions. What I do know is that it does use the hardwareNXimplementation on machines that have it, but that excludes all IA32 machines and they are still in the majority.

One *could* of course counter this - and I'm quite sure that Erik would if I hadn't written the following myself - that not all Linux kernels are compiled for PAE support. In fact, most distributions still compile their kernels for a one-size-fits-all i586 CPU, and with support for only 1 GB of memory.

On the other hand, many distributions supply extra kernels along with their installation, and some of those kernels may have 64 GB support. Mandriva is such a distribution, and I believe Fedora Core and RedHat also provide for such "heavier" kernels.

The free nature of GNU-Linux does of course give every user - intellectually capable or not - the opportunity to "roll his own", either by making a few simple changes to the *.config* of the stock distro kernel or by fetching, configuring and compiling a vanilla kernel.

GNU-Linux users who use Gentoo, LFS, Slackware and many of the users of other distributions are already familiar with using custom-configured and custom-compiled kernels. This also narrows down the range of GNU-Linux users who would be affected by a genuine virus that were explicitly intended to run on any modern GNU-Linux system and that were to work by explicitly executing code from within a data-holding memory page.

This target range is even narrowed down further by the headstart to the kernel developers on the virus developers provided by the rapid evolution of the kernel code - not even to mention userspace application development. Security has always been a concern in UNIX-POSIX and thus in GNU-Linux, as opposed to in Microsoft products. This is one other reason as to why Windows systems will always be more likely to be targeted by the writers of malware.

Whether it is on Windows or on GNU-Linux, or on whatever other system,NXdoes work and should not be dismissed. It's an important buttet in the battle for more security from malware, and that's why it's being used and endorsed.

-- With kind regards,

*Aragorn* (Registered GNU-Linux user #223157)