[Info-vax] Malware in kernel mode

Paul Sture nospam at sture.ch
Sat Sep 27 05:01:34 EDT 2014 

On 2014-09-26, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2014-09-26 14:25:00 +0000, Paul Sture said:
>
>> Alpha and Itanium got an honourable mention in the OmniUnpack paper...
>
><http://www.acsa-admin.org/2007/papers/151.pdf>
>
>> (PDF page 5)
>> "Many hardware architectures (e.g., Intel IA-64, Sun Sparc, Alpha) 
>> offer facilities to enforce the W ⊕ X policy through support for read, 
>> write, and execute per- missions at the page level. Unfortunately, the 
>> architecture targeted by the vast majority of malicious programs (Intel 
>> IA-32) lacks such facilities."
>
> That reference apparently pre-dates the NX no-execute / XD 
> execute-disable support available in x86-64.  
><http://en.wikipedia.org/wiki/NX_bit>

<https://en.wikipedia.org/wiki/AMD64#History_of_AMD64>

"The first AMD64-based processor, the Opteron, was released in April 2003."

And support for the NX bit was arriving in various operating system pretty
quickly after that.

But back to the NX-bit Wiki:

<https://en.wikipedia.org/wiki/NX_bit#Windows>

"In the API, runtime access to the NX bit is exposed through the Win32 API
calls... 

On pre-NX CPUs, the presence of the 'executable' attribute has no effect.
It was documented as if it did function, and, as a result, most
programmers used it properly.

In the PE file format, each section can specify its executability. The
execution flag has existed since the beginning of the format; standard
linkers have always used this flag correctly, even long before the NX bit.

Because of these things, Windows is able to enforce the NX bit on old
programs. Assuming the programmer complied with "best practices",
applications should work correctly now that NX is actually enforced. Only
in a few cases have there been problems; Microsoft's own .NET Runtime had
problems with the NX bit and was updated."

So it was there all along in Windows, and even for programs which predate
it...

Conclusion #1 In practice the NX-bit doesn't do much good
Conclusion #2 (referring to the OmniPack paper above) the more academic
              papers I read the less I am impressed by the content and
              accuracy of the genre; the "Peer review process" we have
              heard much about during discussions of a certain non-IT
              subject frequently in the news isn't standing up to
              scrutiny either.

-- 
A quick recap of Thursday 25th September 2014:
http://pbs.twimg.com/media/ByZfyyXIQAAXTai.jpg
Happy Thursday!

More information about the Info-vax mailing list