PaX

PaX is a security patch for Linux that guarantees that no pages will be marked both writable and executable. It does this by either simply using an NX (No-Execute) bit, which can be emulated using PAGEEXEC if the CPU doesn't have one; or by splitting the memory space in half and mirroring all code accross the split so that if it's changed, the program dies, by using SEGMEXEC. PaX also supplies full Address Space Layout Randomization to obfuscate attacks that rely on already existing code.

The major feature of PaX is the Executable Space Protection it offers. These protections take advantage of the NX bit on certain processors to prevent the execution of arbitrary code. This staves off attacks involving code injection or shellcode. On processors where there is no NX bit, PaX can emulate the functionality of one in various ways.

PAGEEXEC uses or emulates an NX bit. On processors which do not support a hardware NX, each page is given an emulated NX bit. The method used to do this is based on the architecture of the CPU.

PAGEEXEC has the advantage of not cutting the address space in half; tasks still each get a 3GiB virtual ramspace rather than a 1.5/1.5 split. However, for emulation, it is slower than SEGMEXEC and caused a severe performance detriment until the PaX release for Linux 2.6.5 on May 14, 2004 at 22:35 GMT.

SEGMEXEC emulates the functionality of an NX bit by splitting the address space in half and mirroring the code accross the address space. When there is an instruction fetch, the fetch is translated accross the split. If the code doesn't match, then the program is killed.

SEGMEXEC cuts the task's virtual memory space in half. Under normal circumstances, programs get a VM space 3GiB wide, which has physical memory mapped into it. Under SEGMEXEC, this becomes a 1.5/1.5 GiB split, with the top half used for the mirroring. Despite this, it does increase performance if you must do emulation on IA-32 (x86) architectures.

PaX is supposed to guarentee that no ram is both writable and executable. One function, the mprotect() function, changes the permissions on a memory area. The Single Unix Specification defines mprotect() with the following note in its description:

If an implementation cannot support the combination of access types specified by prot, the call to mprotect() shall fail.

The PaX implimentation does not allow a memory page to have permissions PROT_WRITE and PROT_EXEC both enabled when mprotect() restrictions are enabled for the task; any call to mprotect() to set both (PROT_WRITE | PROT_EXEC) at the same time will fail due to EACCESS (Permission Denied).

Shuffles executable base, stack base, heap base, and mmap() (dynamic library) base around in ram to make arbitrary execution of code a probability function.

Shuffles libraries, mmap() ram, and ET_DYN executable base around

Maps ET_EXEC executables in a way to allow them to be executed from a random position in ram. Sometimes raises false alarms.

The oldest documentation for PaX is that of the original PAGEEXEC implimentation, dated November 16, 2000 18:00 GMT in the documentation directory. The documentation notes the following history:

 2000.08.06 initial document
 2000.10.01 pax/linux implementation was born
 2000.10.22 fixed minor inaccuracies
 2000.10.27 added copy-on-write issue
 2000.10.28 finished linux implementation description
 2000.11.05 fixed VM_IO handling, SysV IPC shared memory became NOEXEC
 2000.11.16 fixed race on page directory/table accesses

• Computer security
• Buffer overflow
• Intrusion-detection system
• Intrusion-prevention system
• NX
• W^X

• PaX Homepage -- Hosted by the grsecurity project, but development is separate
• Presentation on PaX -- Explains PaX in an organized, simplified manner. Compares PaX to OpenBSD's W^X as well