NX bit

Last updated

The NX bit (no-execute) is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (code) or for storage of data, a feature normally only found in Harvard architecture processors. However, the NX bit is being increasingly used in conventional von Neumann architecture processors for security reasons.

Contents

An operating system with support for the NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory. The general technique, known as executable space protection, is used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section; one class of such attacks is known as the buffer overflow attack.

Intel markets the feature as the XD bit (execute disable). Advanced Micro Devices (AMD) uses the marketing term Enhanced Virus Protection (EVP). The ARM architecture refers to the feature, which was introduced in ARMv6, as XN (execute never). [1] The term NX bit itself is sometimes used to describe similar technologies in other processors.

Architecture support

x86

x86 processors, since the 80286, included a similar capability implemented at the segment level. However, almost all operating systems for the 80386 and later x86 processors implement the flat memory model, so they cannot use this capability. There was no 'Executable' flag in the page table entry (page descriptor) in those processors, until, to make this capability available to operating systems using the flat memory model, AMD added a "no-execute" or NX bit to the page table entry in its AMD64 architecture, providing a mechanism that can control execution per page rather than per whole segment.

Intel implemented a similar feature in its Itanium (Merced) processorhaving IA-64 architecturein 2001, but did not bring it to the more popular x86 processor families (Pentium, Celeron, Xeon, etc.). In the x86 architecture it was first implemented by AMD, as the NX bit, for use by its AMD64 line of processors, such as the Athlon 64 and Opteron. [2]

After AMD's decision to include this functionality in its AMD64 instruction set, Intel implemented the similar XD bit feature in x86 processors beginning with the Pentium 4 processors based on later iterations of the Prescott core. [3] The NX bit specifically refers to bit number 63 (i.e. the most significant bit) of a 64-bit entry in the page table. If this bit is set to 0, then code can be executed from that page; if set to 1, code cannot be executed from that page, and anything residing there is assumed to be data. It is only available with the long mode (64-bit mode) and legacy Physical Address Extension (PAE) page-table formats, but not x86's original 32-bit page table format because page table entries in that format lack the 63rd bit used to disable and enable execution.

ARM

In ARMv6, a new page table entry format was introduced; it includes an "execute never" bit. [1] For ARMv8-A, VMSAv8-64 block and page descriptors, and VMSAv8-32 long-descriptor block and page descriptors, for stage 1 translations have "execute never" bits for both privileged and unprivileged modes, and block and page descriptors for stage 2 translations have a single "execute never" bit(two bits due to ARMv8.2-TTS2UXN feature); VMSAv8-32 short-descriptor translation table descriptors at level 1 have "execute never" bits for both privileged and unprivileged mode and at level 2 have a single "execute never" bit. [4]

Alpha

As of the Fourth Edition of the Alpha Architecture manual, DEC (now HP) Alpha has a Fault on Execute bit in page table entries with the OpenVMS, Tru64 UNIX, and Alpha Linux PALcode. [5]

SPARC

The SPARC Reference MMU for Sun SPARC version 8 has permission values of Read Only, Read/Write, Read/Execute, and Read/Write/Execute in page table entries, [6] although not all SPARC processors have a SPARC Reference MMU.

A SPARC version 9 MMU may provide, but is not required to provide, any combination of read/write/execute permissions. [7] A Translation Table Entry in a Translation Storage Buffer in Oracle SPARC Architecture 2011, Draft D1.0.0 has separate Executable and Writable bits. [8]

PowerPC/Power ISA

Page table entries for IBM PowerPC's hashed page tables have a no-execute page bit. [9] Page table entries for radix-tree page tables in the Power ISA have separate permission bits granting read/write and execute access. [10]

PA-RISC

Translation lookaside buffer (TLB) entries and page table entries in PA-RISC 1.1 and PA-RISC 2.0 support read-only, read/write, read/execute, and read/write/execute pages. [11] [12]

Itanium

TLB entries in Itanium support read-only, read/write, read/execute, and read/write/execute pages. [13]

z/Architecture

As of the twelfth edition of the z/Architecture Principles of Operation, z/Architecture processors may support the Instruction-Execution Protection facility, which adds a bit in page table entries that controls whether instructions from a given region, segment, or page can be executed. [14]

See also

Related Research Articles

Executable and Linkable Format Standard file format for executables, object code, shared libraries, and core dumps

In computing, the Executable and Linkable Format, is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project.

Itanium is a family of 64-bit Intel microprocessors that implement the Intel Itanium architecture. Intel marketed the processors for enterprise servers and high-performance computing systems. The Itanium architecture originated at Hewlett-Packard (HP), and was later jointly developed by HP and Intel.

x86 Family of instruction set architectures

x86 is a family of instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introduced in 1978 as a fully 16-bit extension of Intel's 8-bit 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486 processors.

ARM, previously Advanced RISC Machine, originally Acorn RISC Machine, is a family of reduced instruction set computing (RISC) architectures for computer processors, configured for various environments. Arm Holdings develops the architecture and licenses it to other companies, who design their own products that implement one of those architectures‍—‌including systems-on-chips (SoC) and systems-on-modules (SoM) that incorporate memory, interfaces, radios, etc. It also designs cores that implement this instruction set and licenses these designs to a number of companies that incorporate those core designs into their own products.

IA-64 Intel Architecture, 64-bit

IA-64 is the instruction set architecture (ISA) of the Itanium family of 64-bit Intel microprocessors. The basic ISA specification originated at Hewlett-Packard (HP), and was evolved and then implemented in a new processor microarchitecture by Intel with HP's continued partnership and expertise on the underlying EPIC design concepts. In order to establish what was their first new ISA in 20 years and bring an entirely new product line to market, Intel made a massive investment in product definition, design, software development tools, OS, software industry partnerships, and marketing. To support this effort Intel created the largest design team in their history and a new marketing and industry enabling team completely separate from x86. The first Itanium processor, codenamed Merced, was released in 2001.

In computer architecture, 64-bit integers, memory addresses, or other data units are those that are 64 bits wide. Also, 64-bit CPU and ALU architectures are those that are based on registers, address buses, or data buses of that size. 64-bit microcomputers are computers in which 64-bit microprocessors are the norm. From the software perspective, 64-bit computing means the use of code with 64-bit virtual memory addresses. However, not all 64-bit instruction sets support full 64-bit virtual memory addresses; x86-64 and ARMv8, for example, support only 48 bits of virtual address, with the remaining 16 bits of the virtual address required to be all 0's or all 1's, and several 64-bit instruction sets support fewer than 64 bits of physical memory address.

Memory management unit Hardware translating virtual addresses to physical address

A memory management unit (MMU), sometimes called paged memory management unit (PMMU), is a computer hardware unit having all memory references passed through itself, primarily performing the translation of virtual memory addresses to physical addresses.

x86-64 Type of instruction set which is a 64-bit version of the x86 instruction set

x86-64 is the 64-bit version of the x86 instruction set. It introduces two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode. With 64-bit mode and the new paging mode, it supports vastly larger amounts of virtual memory and physical memory than is possible on its 32-bit predecessors, allowing programs to store larger amounts of data in memory. x86-64 also expands general-purpose registers to 64-bit, as well extends the number of them from 8 to 16, and provides numerous other enhancements. Floating point operations are supported via mandatory SSE2-like instructions, and x87/MMX style registers are generally not used ; instead, a set of 32 vector registers, 128 bits each, is used. In 64-bit mode, instructions are modified to support 64-bit operands and 64-bit addressing mode. The compatibility mode allows 16- and 32-bit user applications to run unmodified coexisting with 64-bit applications if the 64-bit operating system supports them. As the full x86 16-bit and 32-bit instruction sets remain implemented in hardware without any intervening emulation, these older executables can run with little or no performance penalty, while newer or modified applications can take advantage of new features of the processor design to achieve performance improvements. Also, a processor supporting x86-64 still powers on in real mode for full backward compatibility, as x86 processors have done since the 80286.

In computing, Physical Address Extension (PAE), sometimes referred to as Page Address Extension, is a memory management feature for the x86 architecture. PAE was first introduced by Intel in the Pentium Pro, and later by AMD in the Athlon processor. It defines a page table hierarchy of three levels (instead of two), with table entries of 64 bits each instead of 32, allowing these CPUs to directly access a physical address space larger than 4 gigabytes (232 bytes).

A processor register is a quickly accessible location available to a computer's central processing unit (CPU). Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-only. In computer architecture, registers are typically addressed by mechanisms other than main memory, but may in some cases be assigned a memory address e.g. DEC PDP-10, ICT 1900.

Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. An attempt to access unowned memory results in a hardware fault, called a segmentation fault or storage violation exception, generally causing abnormal termination of the offending process. Memory protection for computer security includes additional techniques such as address space layout randomization and executable space protection.

A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip's memory-management unit (MMU). The TLB stores the recent translations of virtual memory to physical memory and can be called an address-translation cache. A TLB may reside between the CPU and the CPU cache, between CPU cache and the main memory or between the different levels of the multi-level cache. The majority of desktop, laptop, and server processors include one or more TLBs in the memory-management hardware, and it is nearly always present in any processor that utilizes paged or segmented virtual memory.

A CPU cache is a hardware cache used by the central processing unit (CPU) of a computer to reduce the average cost to access data from the main memory. A cache is a smaller, faster memory, located closer to a processor core, which stores copies of the data from frequently used main memory locations. Most CPUs have different independent caches, including instruction and data caches, where the data cache is usually organized as a hierarchy of more cache levels.

This article documents the hardware capabilities of CPUs implementing the x86 or x86-64 instruction sets with regards to hardware-assisted virtualization.

W^X is a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both. Without such protection, a program can write CPU instructions in an area of memory intended for data and then run those instructions. This can be dangerous if the writer of the memory is malicious. W^X is the Unix-like terminology for a strict use of the general concept of executable space protection, controlled via the mprotect system call.

Memory segmentation is a computer (primary) memory management technique of division of a computer's primary memory into segments or sections. In a computer system using segmentation, a reference to a memory location includes a value that identifies a segment and an offset within that segment. Segments or sections are also used in object files of compiled programs when they are linked together into a program image and when the image is loaded into memory.

In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit, or in some cases software emulation of those features. However technologies that somehow emulate or supply an NX bit will usually impose a measurable overhead; while using a hardware-supplied NX bit imposes no measurable overhead.

Supervisor Mode Access Prevention (SMAP) is a feature of some CPU implementations such as the Intel Broadwell microarchitecture that allows supervisor mode programs to optionally set user-space memory mappings so that access to those mappings from supervisor mode will cause a trap. This makes it harder for malicious programs to "trick" the kernel into using instructions or data from a user-space program.

The following is a comparison of CPU microarchitectures.

References

  1. 1 2 "ARM Architecture Reference Manual" (PDF). ARM Limited. pp. B4-8,B4-27. Archived from the original (PDF) on 2009-02-06. APX and XN (execute never) bits have been added in VMSAv6 [Virtual Memory System Architecture]
  2. Ted Simpson; Jason Novak (24 May 2017). Hands on Virtual Computing. Cengage Learning. pp. 8–9. ISBN   978-1-337-10193-6.
  3. "Data Execution Prevention" (PDF). Hewlett Packard. 2005. Retrieved 2014-03-23.
  4. "ARM Architecture Reference Manual, ARMv8, for ARMv8-A architecture profile". ARM Limited. pp. D4-1779,D4-1780,D4-1781,G4-4042,G4-4043,G4-4044,G4-4054,G4-4055.
  5. Alpha Architecture Reference Manual (PDF) (Fourth ed.). Compaq Computer. January 2002. pp. 11-5,17-5,22-5.
  6. "The SPARC Architectural Manual, Version 8". SPARC International. p. 244.
  7. "The SPARC Architecture Manual, Version 9" (PDF). SPARC International. 1994. F.3.2 Attributes the MMU Associates with Each Mapping, p. 284. ISBN   0-13-825001-4. Archived from the original (PDF) on 2012-01-18.
  8. "Oracle SPARC Architecture 2011, Draft D1.0.0" (PDF). Oracle Corporation. January 12, 2016. p. 452.
  9. PowerPC Operating Environment Architecture Book III, Version 2.01. IBM. December 2003. p. 31.
  10. "Power ISA Version 3.0". IBM. November 30, 2015. p. 1003.
  11. "PA-RISC 1.1 Architecture and Instruction Set Reference Manual, Third Edition" (PDF). Hewlett-Packard. February 1994. p. 3-13. Archived from the original (PDF) on June 7, 2011.
  12. Gerry Kane. "PA-RISC 2.0 Architecture, Chapter 3: Addressing and Access Control" (PDF). Hewlett-Packard. p. 3-14.
  13. "Intel Itanium Architecture Software Developer's Manual, Volume 2: System Architecture, Revision 2.0". Intel. December 2001. p. 2:46.
  14. z/Architecture Principles of Operation (PDF). IBM. September 2017. p. 3-14.