Re: Preventing Pentium Deaths

Albert D. Cahalan (acahalan@cs.uml.edu)
Mon, 10 Nov 1997 23:32:24 -0500 (EST)


Michael Riepe writes:
> John Wyszynski wrote:

>> (3) scan the page for for the magic opcodes, including
>> the edges of pages if instruction crosses passes it.
>
> You're missing the point. Scanning for the F0 0F C7 C8 sequence
> will not work - one can e.g. calculate it from other values:
>
> movl $0x3738f00f,%eax
> notl %eax
> movl %eax,some_variable
> ...
>
> is just one simple example where the "magic bytes" are not
> found by a memory scan. So why waste time?

It is not wasting time. Your example is harmless, because you
can't jump to the code you just created unless you have permission.
Every time a page enters the state "in RAM with exec permission"
the kernel can check.

Write+exec permission can be disabled. It is only used for
buffer overrun exploits, trampolines, crashme, and other junk.
Normal programs can run just fine. If that limit is too painful,
the kernel can automatically switch between rw- and r-x perms
whenever it gets an exception (checking the memory of course).

(true emulation would be too slow)

For future systems: binfmt_elf could refuse to execute user code.
Normal users must use Java or some approved script language.
This protects against all future CPU bugs.