CPU-Based Security: The NX Bit

Windows XP SP2 Stars AMD Antivirus Feature

It’s a nice irony that, after decades of trying to improve how quickly and efficiently CPUs can run code, the newest, most fashionable processor feature is the ability to not run code.

That’s an admittedly breezy description of “no execute” (NX) technology, a feature built into AMD’s Opteron and Athlon 64 processors and coming to Intel’s, Transmeta’s, and other desktop and notebook chips.

AMD refers to NX as Enhanced Virus Protection. Intel’s Itanium server CPUs already have it under a different pair of initials, XD for “execute disable.”

Microsoft calls it Data Execution Protection, and will flip the switch to make it a computer-buyer-checklist feature when it ships the security-focused Windows XP Service Pack 2 upgrade this July or August — although other platforms like Linux and Sun’s Sparc/Solaris have supported it for years.

Basically, NX uses processor hardware to discourage the kind of virus, worm, and Trojan Horse attacks seen in scourges such as Blaster, Sasser, and Code Red, which have cost companies billions of dollars in downtime and disinfectant chores.

Working with memory protection technology built into Windows XP SP2, it toughens the distinction between program and data areas in system memory — in other words, stops any attempt to insert and execute code from memory locations set aside for data.

Don’t Stuff the Buffer

Some legitimate programs, such as Java compilers that perform just-in-time code generation, execute instructions within data areas — and will have to be rewritten for Service Pack 2.

But the most common exploiters of x86 architecture’s porous program and data boundaries are applications (called, as a matter of fact, exploits) that perform buffer overrun attacks — one-two punches that first flood a program’s input area with more data than it’s designed to handle, then deliver a poisonous executable payload.

When the data buffer overflows — one early attack on Microsoft and Netscape e-mail clients involved sending message attachments with 256- rather than 255-character or shorter filenames — adjacent memory space beyond the data buffer gets corrupted or overwritten.

If this space is part of the program stack, the exploit can change the program’s execution path, sending new instructions that can take control of the system, deleting files, downloading more malicious code, or whatever. Hello, Blaster.

When it comes down to what software is allowed to do with any given page or area of memory, most CPU hardware doesn’t distinguish between permission to read data and permission to execute instructions.

AMD64 processors, however, support an extra flag or attribute to mark individual memory areas as nonexecutable — the NX bit in the page table entry (PTE) — when running in 64-bit or in 32-bit Physical Address Extension (PAE) mode.

The latter enables processors to address more than 4GB of memory, the normal ceiling for a 32-bit CPU, and its extra level of paging makes NX possible.

Microsoft says some 32-bit applications and drivers may stumble when running in PAE mode, but Service Pack 2 reduces the risk of incompatibility by making hardware-abstraction-layer changes that mimic “classic” 32-bit direct-memory-access (DMA) behavior.

Unlike today’s Windows, Win XP SP2 is alert for the status of the NX bit and will whistle a foul — or raise a “status access violation” exception — when code attempts to execute from a data page, terminating the process.

Microsoft admits that reporting a memory-access violation and causing the system to fail with a bugcheck is inelegant behavior, given that the company’s been striving for years to eliminate the blue screen of death, but says it beats letting malicious code run unchecked. For example, with NX in place, the MSBlaster worm would still have caused a denial-of-service (DoS) attack, but would have lost the ability to replicate and spread to other systems.

Software developers will be able to selectively disable execution protection for 32-bit applications, using a DisableNX fix in SP2’s compatibility toolkit, and end users will be able to switch the feature on and off for the entire system or for individual applications (like those Java compilers) via a new Control Panel dialog box, similar to those for SP2’s beefed-up firewall .

Get With the Program

As mentioned, AMD’s Athlon 64 and Opteron processors have had NX since their debut, though the extra bit won’t do anything on a Windows XP system until you obtain and install Service Pack 2.

Intel is expected to add NX (or XD) to the next generation of its 90-nanometer-process Pentium 4 “Prescott” CPUs — bundling the security enhancement with a larger 2MB Level 2 cache and perhaps a faster 1066MHz front-side bus — in the fourth quarter of this year.

Transmeta says it’s added NX support to its Efficeon chips scheduled to ship in mid-2004 and beyond, making them the first energy-efficient processors to take advantage of the worm-stomping power of Windows XP SP2.

The company didn’t have to change its hardware to implement the feature — it just tweaked the “Code Morphing” software layer that translates x86 instructions on the fly to Transmeta’s native very-long-instruction-word (VLIW) format.

And VIA Technologies promises that NX support will be part of its forthcoming C5J “Esther” core, the IBM-manufactured, 90-nanometer, silicon-on-insulator successor to today’s power-thrifty C3 processor; the C5J is planned to offer clock speeds up to 2GHz with a front-side bus up to 800MHz, but no ship date has been announced yet.

No one pretends that NX will stop all worms and viruses, but it should make it harder for them to spread or for hackers to hijack Web browsers and e-mail clients.

If Microsoft and CPU makers have been co-enablers in terms of Windows’ Swiss-cheese, automated-ActiveX-downloads, dream-of-user-convenience-become-nightmare-for-IT-security architecture, at least they’re taking a small step toward repairing the damage.