Date: Sat, 23 Aug 2008 17:51:07 -0700 From: "Kip Macy" <kmacy@freebsd.org> To: "Ivan Voras" <ivoras@freebsd.org> Cc: freebsd-arch@freebsd.org Subject: Re: FreeBSD and DEP aka "NX bit"? Message-ID: <3c1674c90808231751h3d11d52at2eac1eb21cd8940b@mail.gmail.com> In-Reply-To: <9bbcef730808231741o5e765f3bh546475b28fe51f9b@mail.gmail.com> References: <g8q8i5$s9g$2@ger.gmane.org> <3c1674c90808231713x47e42de5oa9fc2f2f244d2e74@mail.gmail.com> <9bbcef730808231741o5e765f3bh546475b28fe51f9b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 23, 2008 at 5:41 PM, Ivan Voras <ivoras@freebsd.org> wrote: > 2008/8/24 Matthew Macy <mat.macy@gmail.com>: >> On Sat, Aug 23, 2008 at 5:04 PM, Ivan Voras <ivoras@freebsd.org> wrote: >>> I stumbled upon this Wikipedia page: >>> http://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems#Security_features >>> and it mentions NX bit is supported in FreeBSD. Is this true? Is it >>> enabled by default? >> >> Yes. However, it is in the upper word so it only works with PAE or >> amd64. "jemalloc" maps the heap NX and thread stacks are mapped NX. >> The default process stack currently needs to be executable because >> sigcode is placed at the start of the stack at the time of process >> creation. > > Thanks! > > How useful is it without protecting the default stack? IIRC wasn't > stack protection one of the main (marketed) bonuses for NX? (I'm > thinking of the majority of currently popular server software like > apache (preforked) and PostgreSQL...) FreeBSD could certainly take better advantage of it. It also doesn't help that the default process stack always starts at the same address. However, SSP does mitigate some of the risk. -Kip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c1674c90808231751h3d11d52at2eac1eb21cd8940b>