0

W^X ("write xor execute", pronounced W xor X) is a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both.

My basic perspective on why this is a good security feature is that the owner of the system theoretically has an opportunity to, within the kernel, or specifically within the VirtualAlloc function, to hook some analysis function to perform some security validation before allowing newly written code to be executed on the machine.

I was already familiar with DEP, but only just now realizing it has something to do with W^X in Windows:

Executable space protection on Windows is called "Data Execution Prevention" (DEP). Under Windows XP or Server 2003 NX protection was used on critical Windows services exclusively by default. If the x86 processor supported this feature in hardware, then the NX features were turned on automatically in Windows XP/Server 2003 by default. If the feature was not supported by the x86 processor, then no protection was given. Early implementations of DEP provided no address space layout randomization (ASLR), which allowed potential return-to-libc attacks that could have been feasibly used to disable DEP during an attack.

It was my impression that W^X applied to Windows in general, without requiring configuration of the process. But I just noticed that VirtualProtect allows the option PAGE_EXECUTE_READWRITE, which is documented as:

Enables execute, read-only, or read/write access to the committed region of pages.

This seems to entirely defy the concept of W^X. So is W^X not an enforced security policy on Windows, except when DEP is enabled?

J.Todd
  • 707
  • 1
  • 12
  • 34
  • To understand it, it's better to think in terms of the underlying CPU capabilities. Windows has to offer an abstract interface with a combination of possible allowed operations per memory region but the CPU is allowed to permit a **superset** of these operations. For example, without the `NX` capabilities, an x86 CPU can't tell `read` from `execute` (since fetching instruction **is** reading), so `PAGE_EXECUTE_READWRITE` and `PAGE_READWRITE` became the same. Similarly, `PAGE_EXECUTE_READ` and `PAGE_EXECUTE` are the same because the x86 CPU doesn't support having a page executable ... – Margaret Bloom Sep 03 '22 at 14:15
  • ... but not readable (only the other way around) – Margaret Bloom Sep 03 '22 at 14:15
  • I assume "R^W" is a typo? It's generally not very useful to have memory that can only be written, not read even as part of a RMW. And x86 doesn't support it; there's no separate permission bit for reads. – Peter Cordes Sep 03 '22 at 14:47
  • @PeterCordes Yes, typo, fixed. – J.Todd Sep 03 '22 at 14:51

2 Answers2

2

If you turn DEP off, W^X is not enforced. When DEP is on, W^X is enforced by all memory pages that ask for it (when the hardware supports it). It is bit 63 in the page table on x86, known as the NX bit.

Now the question becomes, when is this bit set?

The PE header has a bit indicating if DEP/W^X is supported (IMAGE_DLLCHARACTERISTICS_NX_COMPAT) and if so, the code sections in the file without the write attribute gets the NX bit set when that code is mapped into memory.

For memory dynamically allocated at run-time, the developer gets to choose. PAGE_EXECUTE_READWRITE does not get the NX bit set on purpose. This is useful if they have legacy code that dynamically alters executable code while still having the DEP bit set on the PE so the majority of their code is W^X.

Anders
  • 97,548
  • 12
  • 110
  • 164
  • This is great to know from a security standpoint. I was triggered to study this option when red-team developers were discussing the concern "Wouldn't using PAGE_EXECUTE_READWRITE here raise alarms with the AV", but the answer is no because there exist no reliable way to ensure reliable tracking of the `VirtualProtect` API call. It would be extremely useful from a security perspective if, since these API calls aren't intended to be modified anyway, the Windows kernel would place them in kernel memory and treat them more like system calls. – J.Todd Sep 03 '22 at 15:05
1

Early x86 CPUs had no support for pages without eXec permission. In legacy 32-bit x86 page tables, there was only a bit for write permission, the R/W bit. (Read permission is always implicit in the page being valid, whether the page is writeable or not). The PAE format for page-table entries, which x86-64 also uses, added an NX bit ("no exec"), aka XD (eXecute Disable).

An OS still had to decide which pages to make non-executable. Windows seems to use DEP to describe the feature of actually mapping logical page permissions to the hardware page tables, to be enforced by the CPU.

Some programs written in the bad old days when every readable page was executable may have been sloppy about telling the OS that they wanted a page to be executable. Especially ones that only targeted 32-bit x86. This is what Windows caters for by requiring executables to opt in to DEP, to indicate that they're aware of and compatible with not having exec permission for pages that aren't explicitly marked that way.

Some OSes, notably OpenBSD, truly enforce W^X. For example, mmap(..., PROT_WRITE | PROT_EXEC, ...) will return an error on OpenBSD. Their mmap(2) man page documents that such an mmap or mprotect system call will return

[ENOTSUP] The accesses requested in the prot argument are not allowed. In particular, PROT_WRITE | PROT_EXEC mappings are not permitted unless the filesystem is mounted wxallowed and the process is link-time tagged with wxneeded. (See also kern.wxabort in sysctl(2) for a method to diagnose failure).

Most other OSes (including Linux and Windows) allow user-space to create pages that are writeable and executable at the same time. But the standard toolchains and dynamic linking mechanisms aim for W^X compliance by default, if you don't use any options like gcc -zexecstack that will get the OS to create a process image with some R|W|X pages.

Older 32-bit x86 Linux for example used to use PLT entries (dynamic linking stubs) with jmp rel32 direct jumps, and rewrite the machine code to have the right displacement to reach wherever the shared library got loaded in memory. But these days, the PLT code uses indirect jumps (through the GOT = global offset table), so the executable PLT code can be in read-only page(s).

Changes like this have weeded out any need for write+exec pages in a normal process built with the standard tools.

But on Windows, MacOS, and Linux, W^X is not enforced by the OS. System calls like Windows VirtualAlloc / VirtualProtect and their POSIX equivalents mmap / mprotect will work just fine.

@Ander's answer says DEP does not enforce W^X, just gets the OS to respect the exec permission settings in the executable when creating the initial mappings for .text / .data / .bss and stack space, and stuff like that during process startup.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • 2
    Your answers always teach me far more than I could've thought to ask about a subject. Thanks for all the time you invest in helping others. – J.Todd Sep 03 '22 at 23:16
  • 1
    @J.Todd: Cheers :) I generally only bother to answer questions where there's more to say than an appropriate google would tell you, because that's kind of the whole point of taking time to write an answer, IMO. – Peter Cordes Sep 04 '22 at 00:05