Merry Christmas!

I’m catching up with some RSS feeds, including the Linux Weekly News (LWN). This is a high-quality news site for Linux, and being issued just weekly is a nice feature for all those suffering from information overload.

They had an interesting article some weeks ago on Virtual Machines and Memory Protection. If you are interested in system and application security, this is an interesting read.

SELinux has permissions called “execmem” and “execstack”. Basically these allow applications to map some memory executeable, or execute their own stack. Back in the assembler days, some techniques relied on this, but it has lately become frowned upon: most buffer overflow and other attacks used by viruses and worms relied on an executable stack or memory. Recently, Intel and AMD added support for “non-executable” bits for memory maps, i.e. hardware support to enforce these permissions; this was sold as an achievement in application security.

Though this is mostly true - tons of attacks rely on this permission - it’s not that easy. Modern programming languages such as Java and C# rely on so called Just-In-Time compilation for fast execution. (And future version of perl and python will probably do that, too.) And JIT requires executable memory, because it basically compiles the VMs bytecode into (optimized) machine code, and executes it.

Now you could say: okay, let’s just grant mono and java the execmem permission; (which is also what SELinux does) - and this will probably be okay unless there is some grave error in the mono or java runtime. Or any other native library they use. And this is where the problems start: both Mono and Java rely to a certain extend on native libraries. For example the GTK libraries for the UI. Mono applications can also use gstreamer, gnome-vfs, zlib, libpng, libjpeg, …

That means, security issues in these libraries that need execmem and would not work on native applications can suddenly be exploitable in mono and java apps.

Since we can’t do without execmem for Java and Mono: the executable bit for memory does add some extra layers, but doesn’t give you full protection from this kind of attacks, sorry. No magic “my computer is no longer hackable because I have the NX bit”.

With an NX Bit capable operating system such as Windows XP SP2, harmful viruses are stopped before it can cause any damage to the system.

… unless you’re using .NET or Java applications.