W^X
Encyclopedia
W^X is the name of a security
feature present in the OpenBSD
operating system
. It is a memory protection policy whereby every page
in a process' address space
is either writable or executable, but not both simultaneously (the name comes from the XOR Boolean
operator). W^X does not prevent these permissions from being requested by applications, write and executable permissions are not used as a matter of policy. The OpenBSD base system has been modified to comply with it. This alleviates some buffer overflow
attacks, including the most common stack-based attack: by ensuring that the stack is not executable, arbitrary code injected into it will not execute but instead cause the program to terminate. W^X first appeared in OpenBSD 3.3, released May 2003. Similar features are available for other operating systems, including the PaX
and Exec Shield
patches for Linux
, and NetBSD
4+'s implementation of PaX.
W^X is relatively simple on processor
s which support fine-grained page permissions, such as Sun
's SPARC
and SPARC64, AMD's AMD64, Hewlett-Packard
's PA-RISC
, and HP's (originally Digital Equipment Corporation
's) Alpha
; some early Intel 64 processors lacked the NX bit
required for W^X, but this appeared in later chips. On processors with more limited features, such as the Intel i386, W^X requires using the CS code segment limit as a "line in the sand," a point in the address space above which execution is not permitted and data is located, and below which it is allowed and executable pages are placed. On all platforms, linker changes were required to separate code (such as trampoline
s and other code needed for linker and library
runtime
functions) and data.
Computer insecurity
Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
feature present in the OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. It is a memory protection policy whereby every page
Paging
In computer operating systems, paging is one of the memory-management schemes by which a computer can store and retrieve data from secondary storage for use in main memory. In the paging memory-management scheme, the operating system retrieves data from secondary storage in same-size blocks called...
in a process' address space
Address space
In computing, an address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity.- Overview :...
is either writable or executable, but not both simultaneously (the name comes from the XOR Boolean
Boolean logic
Boolean algebra is a logical calculus of truth values, developed by George Boole in the 1840s. It resembles the algebra of real numbers, but with the numeric operations of multiplication xy, addition x + y, and negation −x replaced by the respective logical operations of...
operator). W^X does not prevent these permissions from being requested by applications, write and executable permissions are not used as a matter of policy. The OpenBSD base system has been modified to comply with it. This alleviates some buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
attacks, including the most common stack-based attack: by ensuring that the stack is not executable, arbitrary code injected into it will not execute but instead cause the program to terminate. W^X first appeared in OpenBSD 3.3, released May 2003. Similar features are available for other operating systems, including the PaX
PaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
and Exec Shield
Exec Shield
Exec Shield is a project started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that emulates an NX bit on x86 CPUs that lack a native NX...
patches for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, and NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
4+'s implementation of PaX.
W^X is relatively simple on processor
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
s which support fine-grained page permissions, such as Sun
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
's SPARC
SPARC
SPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987....
and SPARC64, AMD's AMD64, Hewlett-Packard
Hewlett-Packard
Hewlett-Packard Company or HP is an American multinational information technology corporation headquartered in Palo Alto, California, USA that provides products, technologies, softwares, solutions and services to consumers, small- and medium-sized businesses and large enterprises, including...
's PA-RISC
PA-RISC
PA-RISC is an instruction set architecture developed by Hewlett-Packard. As the name implies, it is a reduced instruction set computer architecture, where the PA stands for Precision Architecture...
, and HP's (originally Digital Equipment Corporation
Digital Equipment Corporation
Digital Equipment Corporation was a major American company in the computer industry and a leading vendor of computer systems, software and peripherals from the 1960s to the 1990s...
's) Alpha
DEC Alpha
Alpha, originally known as Alpha AXP, is a 64-bit reduced instruction set computer instruction set architecture developed by Digital Equipment Corporation , designed to replace the 32-bit VAX complex instruction set computer ISA and its implementations. Alpha was implemented in microprocessors...
; some early Intel 64 processors lacked the NX bit
NX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
required for W^X, but this appeared in later chips. On processors with more limited features, such as the Intel i386, W^X requires using the CS code segment limit as a "line in the sand," a point in the address space above which execution is not permitted and data is located, and below which it is allowed and executable pages are placed. On all platforms, linker changes were required to separate code (such as trampoline
Trampoline (computers)
In computer programming, the word trampoline has a number of meanings, and is generally associated with jumps .- Low Level Programming :...
s and other code needed for linker and library
Library (computer science)
In computer science, a library is a collection of resources used to develop software. These may include pre-written code and subroutines, classes, values or type specifications....
runtime
Run-time system
A run-time system is a software component designed to support the execution of computer programs written in some computer language...
functions) and data.