Hello,
I'm trying to implement non-executable memory on an old (=ARM9 I believe) ARM processor (one of TI's OMAPs).
The problem - the processor has no NX-bit or equivalent in it's MMU, or segment registers.
The possible solution - the processor has an MPU (memory protection unit), which allows the definition of 16 memory areas that can be restricted to be non-executable.
My question is - would it be possible to implement SEGMEXEC, or a similar protection scheme, on this sort of hardware?
Has anyone tried it?
SEGMEXEC, ARM and the MPU
2 posts
• Page 1 of 1
SEGMEXEC, ARM and the MPU
by Angelic Liar » Tue Nov 20, 2012 10:10 am
- Angelic Liar
- Posts: 1
- Joined: Tue Nov 20, 2012 9:42 am
Re: SEGMEXEC, ARM and the MPU
by PaX Team » Tue Nov 20, 2012 11:52 am
1. is there some reference manual online for this cpu?
2. SEGMEXEC relies on specific features of the x86 segmentation logic that i think arm doesn't have.
3. the original PAGEEXEC concept (TLB manipulation) may be feasible depending on how the TLB behaves on your particular cpu.
4. the regions could be used for non-exec pages but depending on the implementation details, you may have to venture into changing userland as well.
4.1 OpenBSD/ppc style 256MB regions: you can designate every other 256MB region as executable/non-executable and change userland binaries to map their code/data PT_LOAD segments 256MB apart and change ld.so so that it maps them into the correct region.
4.2 you can use the region registers as a sort of cache for the last used executable regions and make everything else non-executable. then you update this 'cache' on each (legit) non-exec page fault LRU style. this won't require userland changes but will cost you more performance although there're possibilities for optimization (kernel can be changed to make do with a single executable region, userland regions can cover more than a single page, etc).
2. SEGMEXEC relies on specific features of the x86 segmentation logic that i think arm doesn't have.
3. the original PAGEEXEC concept (TLB manipulation) may be feasible depending on how the TLB behaves on your particular cpu.
4. the regions could be used for non-exec pages but depending on the implementation details, you may have to venture into changing userland as well.
4.1 OpenBSD/ppc style 256MB regions: you can designate every other 256MB region as executable/non-executable and change userland binaries to map their code/data PT_LOAD segments 256MB apart and change ld.so so that it maps them into the correct region.
4.2 you can use the region registers as a sort of cache for the last used executable regions and make everything else non-executable. then you update this 'cache' on each (legit) non-exec page fault LRU style. this won't require userland changes but will cost you more performance although there're possibilities for optimization (kernel can be changed to make do with a single executable region, userland regions can cover more than a single page, etc).
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
2 posts
• Page 1 of 1