[Python-ideas] Executable space protection: NX bit,

Gustavo Carneiro gjcarneiro at gmail.com
Mon Sep 3 08:10:26 EDT 2018

I'm not a security expert, but I believe the NX bit is a hardware
protection against a specific class of attack: buffer overflow attacks.

These attacks are possible because of the lack of safety in the C
programming language: it is very easy for a programmer to forget to check
the bounds of a receiving buffer, properly, and sometimes data copied from
the network receives machine code.  Or the stack is overwritten with the
return address pointing to some machine code previously injected.

Python is intrinsically a safer programming language and requires no such
hardware protection.

At most, a C library used by a Python extension can still have such bugs,
but then again the OS already sets the NX bit for data segments anyway, so
Python doesn't need to do anything.

On Mon, 3 Sep 2018 at 08:00, Wes Turner <wes.turner at gmail.com> wrote:

> Rationale
> =========
> - Separation of executable code and non-executable data is a good thing.
> - Additional security in Python is a good idea.
> - Python should support things like the NX bit to separate code and
> non-executable data.
> Discussion
> ==========
> How could Python implement support for the NX bit? (And/or additional
> modern security measures; as appropriate).
> What sort of an API would C extensions need?
> Would this be easier in PyPy or in CPython?
> - https://en.wikipedia.org/wiki/NX_bit
> - https://en.wikipedia.org/wiki/Executable_space_protection
> Here's one way to identify whether an executable supports NX:
> https://github.com/longld/peda/blob/e0eb0af4bcf3ee/peda.py#L2543
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/

Gustavo J. A. M. Carneiro
Gambit Research
"The universe is always one step beyond logic." -- Frank Herbert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180903/8ba9d584/attachment-0001.html>

More information about the Python-ideas mailing list