What about ` -mindirect-branch=thunk -mindirect-branch-register `? <div><br></div><div>Thanks! Looks like NX is on by default<br><div><div><br></div><div>A quick search of the codebase doesn't find any mprotect() calls, so I'm assuming it's just the compiler flags defaulting to NX on for the main stack.</div><div><br></div><div>This answer helped me understand a bit more; I'll take a look at the issue tracker as well:</div><div><br></div><div><div>> From all of this we conclude that on at least some recent versions of Linux, the stacks (main and threads) will usually be marked as non-executable (i.e. NX bit set). However, if the executable code of the application, or some executable code somewhere in a DLL loaded by the application, contains a nested function or otherwise advertises a need for an executable stack, then all stacks in the application will be marked as executable (i.e. NX bit not set). In other words, a single loadable plugin or extension for an application may deactivate NX stack protection for all threads of the applications, simply by using a rarely used but legitimate and documented feature of GCC.</div><div><br></div><div>> There is no need to panic, though, because, as @tylerl points out, protection afforded by the NX bit is not that great. It will make some exploits more awkward for the least competent of attackers; but good attackers will not be impeded.</div></div><div><br></div><div><a href="https://security.stackexchange.com/a/47825">https://security.stackexchange.com/a/47825</a><br></div><div><br></div><div><br></div><div>So, a C extension with a nested function (e.g. a trampoline) causes the NX bit to be off?</div><div><br></div><div>retpoline is a trampoline approach *partially mitigating* the Spectre (but not Meltdown?) vulns, right? </div><div><br></div><div><a href="https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html">https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html</a><br></div><div><br></div><div>"What is a retpoline and how does it work?"<br></div><div><a href="https://stackoverflow.com/a/48099456">https://stackoverflow.com/a/48099456</a><br></div><div><br></div><div><div><a href="https://github.com/speed47/spectre-meltdown-checker/issues/119">https://github.com/speed47/spectre-meltdown-checker/issues/119</a><br></div><div><br></div><div>> mindirect-branch=thunk -mindirect-branch-register</div><div><br></div><div>Here's a helpful table of the 'Speculative execution exploit variants' discovered as of yet:</div><div><a href="https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Speculative_execution_exploit_variants">https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Speculative_execution_exploit_variants</a></div></div><div><br></div><div>Everything built - including the kernel - needs to be recompiled with new thunk switches, AFAIU? How can we tell whether a python binary or C extension has been rebuilt with which appropriate compiler flags?</div><div><br></div><div><br></div><div><br></div><div><br>On Tuesday, September 4, 2018, Mark E. Haase <<a href="mailto:mehaase@gmail.com" target="_blank">mehaase@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hey Wes, the checksec() function in PEDA that you cited has a standalone version as well:<div><br></div><div><a href="https://github.com/slimm609/checksec.sh" target="_blank">https://github.com/slimm609/ch<wbr>ecksec.sh</a><br></div><div><br></div><div>Running this on my Python (installed from Ubuntu package):</div><div><br></div><div><div>$ checksec --output json -f /usr/bin/python3.6 | python3 -m json.tool</div><div>{</div><div> "file": {</div><div> "relro": "partial",</div><div> "canary": "yes",</div><div> "nx": "yes",</div><div> "pie": "no",</div><div> "rpath": "no",</div><div> "runpath": "no",</div><div> "fortify_source": "yes",</div><div> "fortified": "17",</div><div> "fortify-able": "41",</div><div> "filename": "/usr/bin/python3.6"</div><div> }</div><div>}</div></div><div><br></div><div>My Python has pretty typical security mitigations. Most of these features are determined at compile time, so you can try compiling Python yourself with different compiler flags and see what other configurations are possible. Some mitigations hurt performance and others may be incompatible with Python itself. If you search on <a href="http://bugs.python.org" target="_blank">bugs.python.org</a> you'll find a few different issues on these topics.</div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Sep 3, 2018 at 3:01 AM Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>Rationale</div><div>=========</div><div>- Separation of executable code and non-executable data is a good thing.</div><div>- Additional security in Python is a good idea.</div><div>- Python should support things like the NX bit to separate code and non-executable data.</div><div><br></div><div>Discussion</div><div>==========</div><div>How could Python implement support for the NX bit? (And/or additional modern security measures; as appropriate).</div><div><br></div><div>What sort of an API would C extensions need?</div><div><br></div><div>Would this be easier in PyPy or in CPython?</div><div><br></div><div>- <a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank">https://en.wikipedia.org/wiki/<wbr>NX_bit</a></div><div>- <a href="https://en.wikipedia.org/wiki/Executable_space_protection" target="_blank">https://en.wikipedia.org/wiki/<wbr>Executable_space_protection</a></div><div><br></div><div>Here's one way to identify whether an executable supports NX:</div><div><a href="https://github.com/longld/peda/blob/e0eb0af4bcf3ee/peda.py#L2543" target="_blank">https://github.com/longld/peda<wbr>/blob/e0eb0af4bcf3ee/peda.py#<wbr>L2543</a></div></div></div>
______________________________<wbr>_________________<br>
Python-ideas mailing list<br>
<a href="mailto:Python-ideas@python.org" target="_blank">Python-ideas@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-ideas" rel="noreferrer" target="_blank">https://mail.python.org/mailma<wbr>n/listinfo/python-ideas</a><br>
Code of Conduct: <a href="http://python.org/psf/codeofconduct/" rel="noreferrer" target="_blank">http://python.org/psf/codeofco<wbr>nduct/</a><br>
</blockquote></div>
</blockquote>
</div></div></div>