Why Was Intel a No-Show on No Execute?
Windows XP SP2 will include support for NX features in newer processors. Why only the newer ones? The CPU companies let us down on this.A big part of the brain surgery Microsoft is performing on Windows XP Service Pack 2 is support for new "NX" features in x86 processors. These features allow software (the Windows OS in this case) to mark certain areas of program memory as non-executable. Since a large number of remote attacksBlaster and Sasser, for examplerely on executing code from areas not intended to hold executable code, proper use of this feature should prevent a large percentage of attacks. The processor companies, and I suppose Intel in particular, are getting away a little easy on this. Its all hindsight, but why havent we had this feature for years? Buffer overflows have been a big problem for a long, long time, yet weve barely begun to see CPUs from the x86 world that implement the feature. According to Microsofts explanation of "Execution Protection," the companys name for NX support in Windows, the whole problem has to do with executing code out of areas of the program, basically the stack and heaps, that are reserved for data. This would generally be considered good software engineering practice anyway, but there are a few applications where it could present problems. For software that must manipulate code in a data area and then execute it, Microsoft provides a mechanism to mark the areas as executable.
The classic example, cited by Microsoft, is a just-in-time compiler, or JIT, most famous in the Java Virtual Machine (JVM). I asked Sun about it, and they said changes were made to the JVM for Version 1.5 to support NX and then they backported these changes to the latest 1.4.2_05 release, to be released this summer. Both the 32- and 64-bit VMs support NX.