Chapter 8: Advanced Linux Exploits
183
PART III
Non-Executable Memory Pages (Stacks and Heaps)
Early on, developers realized that program stacks and heaps should not be executable.
Further, user code should not be writable once placed in memory. Several implementations
have attempted to realize this dream.
The Page-eXec (PaX) patches attempt to provide execution control over the stack and
heap areas of memory by changing the way memory paging is done. Normally, a page
table entry (PTE) exists for keeping track of the pages of memory and caching mechanisms
called data and instruction translation look-aside buffers (TLB). The TLBs store
recently accessed memory pages and are checked by the processor first when accessing
memory. If the TLB caches do not contain the requested memory page (a cache miss),
then the PTE is used to look up and access the memory page. The PaX patch implements
a set of state tables for the TLB caches and maintains whether a memory page is in read/
write mode or execute mode. As the memory pages transition from read/write mode
into execute mode, the patch intervenes, logs, then kills the process making this request.
PaX has two methods to accomplish non-executable pages. The SEGMEXEC method is
faster and more reliable, but splits the user space in half to accomplish its task.
Pages:
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366