Researcher: Hardware “No-Execute” Zone Is No Big Security Deal

Both Intel and AMD have touted the notion, which essentially means setting some areas of memory as off-bounds to prevent worms and other malicious code from inserting functions into memory and executing them. But one researcher says the scheme won’t stop all attacks.
The no-execute feature that's been folded in the newest processors to ward off malicious attacks isn't the panacea that many users think it is, a security researcher at the Black Hat conference claimed in his presentation Wednesday. Such perceptions aren't necessarily being stoked by the likes of chipmakers Intel and AMD, but users are picking them up anyway, often from media reports.

AMD calls the feature "Enhanced Virus Protection" (EVP) and Intel calls it eXecute Disable (or XD). More generically, it's known as NX, for No eXecute. Essentially, it's a way to specify protected portions of memory so that processor instructions can't execute there. The idea behind setting some areas of memory as off-bounds is to prevent worms and other malicious code from inserting functions into memory and executing them.

AMD has touted EVP within its 64-bit Athlon processors as a security technology that lets "you enjoy peace of mind." But chip vendors haven't portrayed NX as a panacea. AMD, for instance, calls EVP a "preventative measure" that won't prevent malicious code attacks, but will make them "localized, short-lived, and non-contagious."

Intel, meanwhile, takes a similar line, saying that the impact of future mass-mailed worms in the Slammer and MSBlast vein would be "substantially reduced" by XD.

The problem, said David Maynor, an engineer with Internet Security Systems' (ISS) X-Force research team, is that such caveats have been lost in the media reports about NX, which have over-simplified the technology's effectiveness. "Some claims of NX paint it as a silver bullet," said Maynor. "The hype is the NX stops all security exploits dead in their tracks, and that we don't have to worry about the next MSBlast."

That's simply untrue, said Maynor. NX won't stop all attacks that are aimed at creating a buffer overflow, the most commonly-used tactic today for compromising a system. "I can still execute code on an NX-enabled machine," said Maynor. "It just requires a slightly more tricky technique."

A "return-to-libc attack," for instance, in which the return address on the stack is replaced by the address of another function, could be the basis for assaults on a non-executable memory stack, Maynor explained.

Attackers could also create fake stack frames to bypass the memory protection that NX provides, said Maynor. Such techniques aren't new; they've been explored by those wanting to exploit other no-execute-protected processors and operating systems in the Unix world, such as Sun's SPARC and Solaris OS.

"NX isn't designed to stop anything," said Maynor. "It's not been able to mitigate against security threats in Unix" and it won't do that for desktop operating systems like Windows.

Microsoft calls NX by yet another name, Data Execution Prevention, or DEP, in Windows XP SP2 and Windows Server 2003 SP1. Microsoft said the feature will also be enabled by default on critical Windows services in Windows Vista, which just entered Beta 1 testing this week.

"One of our goals is that although NX's limitations are known in the security world, they're not in corporate America," explained Maynor when asked why he was broadcasting NX's deficiencies. "They think it's going to be a silver bullet. It's just dangerous to rely on a single point of technology."

"At best, NX is a speed bump for intruders, not a stop sign," Maynor added.