AMD64 NX bit and 32 bit XP SP2

Dmitriy_Budko · May 11, 2004, 12:57am

How to force 32 bit XP SP2 to use NX bit on all non-code kernel addresses?

There is a WinHec 2004 presentation by AMD about it but
I didn’t get it while at WinHec and now I can’t find it on the WinHec web
site.

Thanks,
Dmitriy Budko, VMware

OSR_Community_User · May 11, 2004, 6:11am

Dmitriy,

Not sure if you’re asking for how to enable NoExecute itself, or if it’s
something more subtle.

Enableing NX itself is done by adding
/pae /noexecute
to the boot.ini line that boots the kernel.

I would have thought that it’s necessary to do NX on the kernel space as
well as user space for this to be effective. If only user space is affected,
some kernel level functions would still be open to attack, and that’s
exactly what the goal is to eliminate.

Sorry if this is not what you were looking for.

–
Mats

-----Original Message-----
From: Dmitriy Budko [mailto:xxxxx@vmware.com]
Sent: Tuesday, May 11, 2004 3:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] AMD64 NX bit and 32 bit XP SP2

How to force 32 bit XP SP2 to use NX bit on all non-code
kernel addresses?

There is a WinHec 2004 presentation by AMD about it but
I didn’t get it while at WinHec and now I can’t find it on
the WinHec web
site.

Thanks,
Dmitriy Budko, VMware

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 11, 2004, 6:20am

Further searching finds this:
http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execpr
otection.aspx
Which says:
– Begin –
Kernel Mode Execution Protection
Execution protection works the same for both user and kernel mode. Execution
protection for memory regions in kernel mode cannot be enabled or disabled
on a per-driver basis. On 32-bit versions of Windows, execution protection
is applied only to the stack by default. Note that this differs from 64-bit
versions of Windows where the stack, paged pool, and session pool have
execution protection applied.

An execution protection access violation in kernel-mode will result in a
Bugcheck 0xFC:
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.
– End –

I didn’t manage to find anything about the pool protection. Maybe someone
who’s been at MS at Winhec can help…

–
Mats

-----Original Message-----
From: xxxxx@3dlabs.com [mailto:xxxxx@3dlabs.com]
Sent: Tuesday, May 11, 2004 11:16 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] AMD64 NX bit and 32 bit XP SP2

Dmitriy,

Not sure if you’re asking for how to enable NoExecute itself,
or if it’s
something more subtle.

Enableing NX itself is done by adding
/pae /noexecute
to the boot.ini line that boots the kernel.

I would have thought that it’s necessary to do NX on the
kernel space as
well as user space for this to be effective. If only user
space is affected,
some kernel level functions would still be open to attack, and that’s
exactly what the goal is to eliminate.

Sorry if this is not what you were looking for.

–
Mats

> -----Original Message-----
> From: Dmitriy Budko [mailto:xxxxx@vmware.com]
> Sent: Tuesday, May 11, 2004 3:57 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] AMD64 NX bit and 32 bit XP SP2
>
>
> How to force 32 bit XP SP2 to use NX bit on all non-code
> kernel addresses?
>
> There is a WinHec 2004 presentation by AMD about it but
> I didn’t get it while at WinHec and now I can’t find it on
> the WinHec web
> site.
>
> Thanks,
> Dmitriy Budko, VMware
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Peter_Viscarola_OSR · May 11, 2004, 12:36pm

Dmitriy Budko wrote:

How to force 32 bit XP SP2 to use NX bit on all non-code kernel addresses?

There’s an article about this on OSR Online:
http://www.osronline.com/article.cfm?article=288

Basically, you put the processor in PAE mode and set the NX bit.

Is that what you want to know? If not, can you further clarify your
question??

Peter
OSR

OSR_Community_User · May 11, 2004, 12:58pm

Peter,

I’m not sure if I understood the OP correctly, but I think he wanted to get
ALL kernel memory that is not directly supposed to be executable to be NX.
That would mean all memory that isn’t code, rather than just the stack. Not
sure if that can be done.

I posted a link to an MS page that explains that the Stack and no other data
storage is protected with NX. Not sure if there’s some registry or some such
that enables “NX on other bits”, or if it’s just not possible to do that.

Then of course, I may have misunderstood the original post…

–
Mats

-----Original Message-----
From: PeterGV [mailto:xxxxx@osr.com]
Sent: Tuesday, May 11, 2004 5:32 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] AMD64 NX bit and 32 bit XP SP2

Dmitriy Budko wrote:
> How to force 32 bit XP SP2 to use NX bit on all non-code
kernel addresses?
>

There’s an article about this on OSR Online:
http://www.osronline.com/article.cfm?article=288

Basically, you put the processor in PAE mode and set the NX bit.

Is that what you want to know? If not, can you further clarify your
question??

Peter
OSR

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Dmitriy_Budko · May 12, 2004, 12:00am

> From: xxxxx@3Dlabs.com [mailto:xxxxx@3Dlabs.com]

Further searching finds this:
http://msdn.microsoft.com/security/productinfo/XPSP2/memorypro
tection/execprotection.aspx
Which says:
– Begin –
Kernel Mode Execution Protection
Execution protection works the same for both user and kernel
mode. Execution
protection for memory regions in kernel mode cannot be
enabled or disabled
on a per-driver basis. On 32-bit versions of Windows,
execution protection
is applied only to the stack by default. Note that this
differs from 64-bit
versions of Windows where the stack, paged pool, and session pool have
execution protection applied.

An execution protection access violation in kernel-mode will
result in a
Bugcheck 0xFC:
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY.
– End –

So by default only kernel stacks are not executable. Is there a non-default
setup to
enable execution protection to other kernel memory: pools, data sections of
drivers,
addresses returned by MmGetSystemAddressForMdlSafe() and MmMapXXX()
functions?

Dmitriy Budko, VMware

OSR_Community_User · May 12, 2004, 5:43am

[snip]

So by default only kernel stacks are not executable. Is there
a non-default
setup to
enable execution protection to other kernel memory: pools,
data sections of
drivers,
addresses returned by MmGetSystemAddressForMdlSafe() and MmMapXXX()
functions?

As far as I could find on MS web-site, there’s no way to enable this. I may
well be wrong, but that’s what I could find. I don’t know what you’d find if
you do “strings” on the kernel/hal (or whichever parts it is) to see if
there’s any Memory Management registry entries that seem particularly useful
to do this, but as far as I could find, there wasn’t much documentation on
the MS web-site.

–
Mats [hoping that he doesn’t get shot down for suggesting reverse
engineering].

Dmitriy Budko, VMware