When the inevitable ARM macintosh comes out, do you think Apple will allow W+X pages on it or do you think they'll impose W^X and call it a "security feature"
4
3
28
Conversation
Replying to
Forgive my naivete, but shouldn't an application that needs to generate code at runtime make pages that are RW, write the code, then switch permissions to RX?
2
A strong implementation prevents dynamic code generation. On Linux, this is provided by SELinux. If a process doesn't have the execmem permission, it can't create W|X mappings or transition mappings that were writable to executable, including not being able to do rw -> r -> rx.
It also has to be applied to files or it can be trivially bypassed via file-based mappings, by mapping the same file as writable and as executable in separate mappings. Writing to the file and mapping it as executable would also work. Strong implementations cover storage too.
1
Not permitting applications to write to anything they can execute as native code forces all native code to come through the package manager. None of this places a technical restriction on interpreted code though. It also doesn't require that all code has to come from a store.
2
Show replies
Replying to
Can you speak more to the cases where preventing the use of execmem is an improvement to security?
Thinking maybe a situation where a vuln doesn't enable full RCE through some *OP variant, but allows enough memory corruption to change the flag to mprotect, and jmp to WX mem?
2
Or is this more about applications where generating native code from untrusted input, like a JS JIT, is the intended behavior and it's simply possible to abuse that mechanic due to sandbox failures or logic bugs in the JS engine?