NX bit

from Wikipedia, the free encyclopedia

The NX-bit ( N o e X ecute) is a technique of processors of the x86 family to enhance the security of a computer. Its purpose is to prevent arbitrary data such as programs from being executed and thus starting malicious code such as. B. viruses , backdoors, etc. In Windows operating systems (from Windows XP SP2) the technology is also referred to as Data Execution Prevention ( DEP for short ; German  data execution prevention ).

Similar technologies have been around for some time on other processor architectures , for example with the PowerPC from IBM, the Sun SPARC and the Alpha processors .

history

Since the Intel 80286 processor, it has been possible in the so-called protected mode to mark individual memory segments as executable (code segments) or not executable (data segments). If an attempt is made to execute code at an address in a memory segment marked as non-executable , the CPU triggers a hardware interrupt which is intercepted by the operating system. The program in question can then be canceled.

Today's operating systems also use the protected mode, but they use a so-called “flat memory model” in which all segments cover the same linear memory area. The segment-based memory protection is thus nullified, and there is no longer any separation between code and data areas.

The technology was therefore introduced by the chip manufacturer AMD with the Athlon 64 processor under the name NX-Bit for the x86 market. The technology is marketed by AMD as Enhanced Virus Protection (EVP) . Even Intel used in Itanium processors and the latest Pentium 4 - and Pentium-M - and the Core -models this technique, however, under the name XD Bit (Execute Disable). Also Transmeta and VIA / Centaur offer CPUs with NX bit.

functionality

64-bit entry in the Page directory entry
Bits: 63 62… 52 51… 32
Content: NX reserved Bit 51… 32 of the base address
Bits: 31… 12 11… 9 8th 7th 6th 5 4th 3 2 1 0
Content: Bit 31… 12 of the base address AVL ig 0 ig A. PCD PHE U / S R / W P

Today's operating systems rely exclusively on page-based memory management for memory protection. With the IA32 architecture, this allows the distinction between pages that are "read-only" and those that are "read and write" (see bit 1 ("R / W") in the page table entry), but there is no distinction between (Data) "Read" and (Code) "Execute" provided. AMD has used bit 63 for the NX bit in the 64-bit page tables and directories. 64-bit page tables and directories are only used in 64-bit mode and in 32-bit mode with activated physical address extension .

The NX bit is set by the operating system, if it supports it, for the stack and other data areas in the main memory so that they can no longer be executed. If a program tries to execute these marked memory pages due to a bug or an infection with malicious code, the CPU intercepts this and reports this to the operating system via a hardware interrupt, which then terminates the affected program.

This procedure partially violates the Von Neumann principle of storing data and programs in a shared memory. However, only the execution of code in data segments (e.g. in a stack or heap ) is prevented. The buffer overflow itself is not prevented. If a jump to a code page is triggered, the no-execute technique has no effect. Furthermore, despite this technology, any code can be executed, for example by means of a " return into libc ".

Operating systems

Windows

The operating system Windows from Microsoft supports DEP on Windows XP SP 2, provided that the respective processor offers the possibility. As of Windows Vista , the settings are visible to the user (System Properties → Advanced → Performance → Settings → Data Execution Prevention). Windows 8 and newer Windows versions cannot be started on processors without NX bit.

Linux

The Linux kernel supports the NX bit from version 2.6.8, whereby either a 64-bit kernel (x64, x86_64, amd64) or a 32-bit kernel for a processor with activated PAE must be used.

macOS

The operating system for computers from Apple , macOS (formerly "Mac OS X" and "OS X"), supports the NX bit from version 10.6 " Snow Leopard ."

CPUs with NX bit

CPUs with the NX bit feature can be recognized by software by a set 11th bit in the extended feature enable register . This "model specific register" can only be read out by privileged software (system software), for example by the operating system kernel.

AMD

Intel

Rest

Web links

Individual evidence

  1. msdn.microsoft.com
  2. https://support.microsoft.com/de-de/help/12660/windows-8-system-requirements