Buffer overflows that are part and parcel of applications that run on the Linux platform may not get the same attention as their Windows counterparts, but they exist and are just as dangerous. Hackers can use a worm to overflow a memory buffer and execute code of their choice.
Last week, code contributors to the
Red Hat developer Ingo Molnar submitted a patch to Linus Torvalds on June 2 that makes available the NX (no execute) technology for x86 systems. NX was developed by Advanced Micro Devices (AMD) for its AMD64 hardware. Intel, Transmeta Corp. and VIA Technologies Inc. also announced support for NX, which adds a no-execute bit to a CPU's memory area.
Microsoft has announced that it will also include support for NX in its upcoming Windows XP Service Pack 2, which is due this quarter.
"In a nutshell, this helps greatly reduce buffer overflows," said Keith Peer, president and CEO of Central Command Inc., Medina, Ohio, which specializes in Linux antivirus software. "This is pretty good news, it's going to slow down buffer overflows significantly."
Molnar wrote in a posting to kerneltrap.org that currently x86 CPUs default to zero in the PAE pagetable for compatibility reasons, making all pages executable by default.
"This property is often abused by exploits when they manage to inject hostile code into this memory, for example, via a buffer overflow," Molnar wrote. "If the NX feature is supported by the CPU, then the patched kernel turns on NX, and it will enforce user space executability constraints, such as a no-exec stack and no-exec mmap [memory map] and data areas. This means less chance for stack overflows and buffer-overflows to cause exploits."
Peer said buffer overflows exist in applications for Linux like OpenSSL and Sendmail, for example.
"They just don't get as much attention," he said. "Buffer overflows in Linux and Windows are relatively the same because of the way all software is written today, with no added protection against buffer overflows like NX. NX is a good step forward to prevent future buffer overflow [exploits]."
Molnar added that the patch he submitted also implements NX protection for kernel space code.
"Only the kernel code and modules are executable -- so even kernel-space overflows are harder [in some cases, impossible] to exploit. Here is how the kernel code that tries to execute off the stack is stopped," Molnar wrote.
Torvalds, meanwhile, suggested that because NX has relatively few compatibility issues and because it solves such a serious security problem, it should be turned on by default.
"It's a very simplistic fix, and you wonder why no one had done this years ago," Peer said. "It's a very simplistic approach and a very effective one."