FreeBSD x86 vs x86-64 Questions about Security

Astrodog astrodog at gmail.com
Fri Feb 11 06:59:39 PST 2005 

On Fri, 11 Feb 2005 09:30:34 -0500, Coleman Kane <zombyfork at gmail.com> wrote:
> Hi Jimmy.
> 
> 
> On Fri, 11 Feb 2005 07:54:05 +0000, Jimmy <freebsd at oranged.to> wrote:
> > Hello,
> >
> > I Am interested to know several questions..
> >
> > - Currently I am using FreeBSD x86-64 I have compiled the majority of my
> > applications up using the right compiler flags to support the 64bit OS.
> > Is there any way within the Operating system that I can turn off 32bit
> > support?
> 
> You should be able to remove COMPAT_IA32 from your kernel config.
> 
> >
> > - Are applications that have been compiled for the amd-64 platform still
> > vulnerable to x86 style attacks because of the backwards compatability
> > mode? (eg remote buffer overflows in say.. openssh?).
> >
> 
> AMD64 has a per-page NX (non-executable) bit, I however am not aware
> if FreeBSD uses this in the code pages.
> 
> --coleman
> 
> > Thanks
> >
> > J
> > _______________________________________________
> > freebsd-amd64 at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
> > To unsubscribe, send any mail to "freebsd-amd64-unsubscribe at freebsd.org"
> >
> _______________________________________________
> freebsd-amd64 at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-amd64
> To unsubscribe, send any mail to "freebsd-amd64-unsubscribe at freebsd.org"
> 

I think that FreeBSD-AMD64 will not be effected directly, in that
shellcode written for i386 won't work anymore. However, the security
flaw would still exist, so there's still a threat, its just one
script-kiddies won't catch. The i386 compat layer won't allow
vunerable i386 shellcode to run from within an AMD64 application,
since the ELF detection that makes COMPAT_IA32 work wouldn't kick in.
i386-compiled applications could still, theoretically, be exploited
with i386 shellcode though. However, AMD64 applications would not
execute the shellcode, or, rather, wouldn't actually be able to,
they'd just crash.

--- Harrison Grundy

More information about the freebsd-amd64 mailing list