79:, but not both. Without such protection, a program can write (as data "W") CPU instructions in an area of memory intended for data and then run (as executable "X"; or read-execute "RX") those instructions. This can be dangerous if the writer of the memory is malicious. W^X is the Unix-like terminology for a strict use of the general concept of
209:
on Unix-like operating systems. The other solution involves mapping the same region of memory to two pages, one with RW and the other with RX. There is no simple consensus on which solution is safer: supporters of the latter approach believe allowing a page that has ever been writable to be executed
133:
The term W^X has also been applied to file system write/execute permissions to mitigate file write vulnerabilities (as with in memory) and attacker persistence. Enforcing restrictions on file permissions can also close gaps in W^X enforcement caused by memory mapped files. Outright forbidding the
293:
Although W^X (or DEP) has only protected userland programs for most of its existence, in 2012 Microsoft extended it to the
Windows kernel on the x86 and ARM architectures. In late 2014 and early 2015, W^X was added in the OpenBSD kernel on the AMD64 architecture. In early 2016, W^X was fully
134:
usage of arbitrary native code can also mitigate kernel and CPU vulnerabilities not exposed via the existing code on the computer. A less intrusive approach is to lock a file for the duration of any mapping into executable memory, which suffices to prevent post-inspection bypasses.
222:
would make it safe to put both pages in the same process. Supporters of the former approach believe that the latter approach is only safe when the two pages are given to two separate processes, and
165:", a point in the address space above which execution is not permitted and data is located, and below which it is allowed and executable pages are placed. This scheme was used in
319:
implemented the W^X policy. This was later rolled back on some platforms for performance reasons, though remained in others which enforce W^X for all programs.
197:, which involves an interpreter generating machine code on the fly and then running it. The simple solution used by most, historically including
493:
304:
processors enforce W^X for all programs. Intel-based Macs enforce the policy only for programs that use the OS's
Hardened Runtime mode.
615:
219:
119:
223:
80:
180:
64:
243:
68:
267:
194:
339:
566:
176:
465:
444:
201:, involves just making the page executable after the interpreter is done writing machine code, using
44:
479:
172:
56:
247:
353:
162:
127:
95:
91:
48:
150:
required for W^X, but this appeared in later chips. On more limited processors such as the
395:
367:
183:
111:
52:
600:
540:
609:
301:
72:
242:
3.3, released May 2003. In 2004, Microsoft introduced a similar feature called DEP (
158:
38:
17:
255:
166:
601:
Slides from a presentation by OpenBSD lead developer Theo de Raadt covering W^X
518:
316:
250:
XP. Similar features are available for other operating systems, including the
76:
541:"1835876 - Consider disabling code memory protection in the content process"
123:
428:
143:
312:
308:
294:
implemented on NetBSD's AMD64 kernel and partially on the i386 kernel.
275:
239:
211:
198:
115:
418:
381:
271:
263:
147:
107:
60:
175:
changes are generally required to separate data from code (such as
424:
297:
259:
151:
99:
595:
154:
251:
103:
186:
functions). The switch allowing mixing is usually called
94:
that support fine-grained page permissions, such as
322:Starting with .NET 6.0 in 2021, .NET now uses W^X.
287:
283:
279:
227:
215:
206:
202:
84:
494:"Porting Just-In-Time Compilers to Apple Silicon"
596:OpenBSD-3.3 announcement, public release of W^X
340:"Enforce execve() restrictions for API > 28"
8:
382:"Hardening the Linux Kernel (series 2.0.x)"
315:116 in 2023, Firefox's virtual machine for
274:) version 5, or by Linux Kernel 2.6.18-8,
210:defeats the point of W^X (there exists an
466:"Exploit mitigation improvements in Win8"
439:
437:
290:policies that provide W^X when disabled.
214:policy to control such operations called
27:Operating system memory security feature
331:
193:W^X can also pose a minor problem for
480:"W^X protection for the AMD64 kernel"
7:
220:address space layout randomization
25:
445:"W^X JIT-code enabled in Firefox"
35:("write xor execute", pronounced
59:protection policy whereby every
226:would be costlier than calling
179:that are needed for linker and
1:
266:'s implementation of PaX. In
238:W^X was first implemented in
120:Digital Equipment Corporation
368:"S.A.R.A. a new stacked LSM"
157:, W^X requires using the CS
90:W^X is relatively simple on
311:46 in 2016 and ending with
224:inter-process communication
81:executable space protection
632:
521:. SecureMac. July 17, 2020
75:may be either writable or
616:Operating system security
244:Data Execution Prevention
268:Red Hat Enterprise Linux
195:just-in-time compilation
92:processor architectures
567:"What's new in .NET 6"
427:System Administration
146:processors lacked the
300:computers running on
190:on Unix-like systems
83:, controlled via the
545:bugzilla.mozilla.org
354:"Zack's Kernel News"
498:developer.apple.com
270:(and automatically
118:, HP's (originally
571:docs.microsoft.com
49:operating systems
18:Write XOR Execute
16:(Redirected from
623:
583:
582:
580:
578:
563:
557:
556:
554:
552:
537:
531:
530:
528:
526:
515:
509:
508:
506:
504:
490:
484:
483:
476:
470:
469:
462:
456:
455:
453:
451:
441:
432:
422:
421:
414:
408:
407:
405:
403:
398:. April 17, 2003
392:
386:
385:
378:
372:
371:
364:
358:
357:
350:
344:
343:
336:
289:
285:
281:
229:
217:
208:
204:
189:
163:line in the sand
86:
53:virtual machines
21:
631:
630:
626:
625:
624:
622:
621:
620:
606:
605:
592:
587:
586:
576:
574:
565:
564:
560:
550:
548:
539:
538:
534:
524:
522:
517:
516:
512:
502:
500:
492:
491:
487:
478:
477:
473:
464:
463:
459:
449:
447:
443:
442:
435:
417:
416:
415:
411:
401:
399:
394:
393:
389:
380:
379:
375:
366:
365:
361:
352:
351:
347:
338:
337:
333:
328:
236:
187:
140:
112:Hewlett-Packard
28:
23:
22:
15:
12:
11:
5:
629:
627:
619:
618:
608:
607:
604:
603:
598:
591:
590:External links
588:
585:
584:
558:
532:
519:"ARM Macs FAQ"
510:
485:
471:
457:
433:
409:
387:
373:
359:
345:
330:
329:
327:
324:
307:Starting with
284:allow_execheap
235:
232:
205:on Windows or
203:VirtualProtect
139:
136:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
628:
617:
614:
613:
611:
602:
599:
597:
594:
593:
589:
572:
568:
562:
559:
546:
542:
536:
533:
520:
514:
511:
499:
495:
489:
486:
481:
475:
472:
467:
461:
458:
446:
440:
438:
434:
430:
426:
423: –
420:
413:
410:
397:
391:
388:
383:
377:
374:
369:
363:
360:
355:
349:
346:
341:
335:
332:
325:
323:
320:
318:
314:
310:
305:
303:
302:Apple silicon
299:
295:
291:
288:allow_execmod
280:allow_execmem
278:received the
277:
273:
269:
265:
261:
257:
253:
249:
245:
241:
233:
231:
225:
221:
216:allow_execmod
213:
200:
196:
191:
185:
182:
178:
174:
170:
168:
164:
160:
156:
153:
149:
145:
138:Compatibility
137:
135:
131:
129:
125:
121:
117:
113:
109:
105:
102:and SPARC64,
101:
97:
93:
88:
87:system call.
82:
78:
74:
73:address space
70:
66:
62:
58:
54:
50:
46:
42:
40:
34:
30:
19:
575:. Retrieved
570:
561:
549:. Retrieved
544:
535:
523:. Retrieved
513:
501:. Retrieved
497:
488:
474:
460:
448:. Retrieved
419:execstack(8)
412:
400:. Retrieved
390:
376:
362:
348:
334:
321:
306:
296:
292:
258:patches for
237:
192:
171:
161:limit as a "
159:code segment
141:
132:
89:
36:
32:
31:
29:
577:November 9,
573:. Microsoft
256:Exec Shield
218:) and that
177:trampolines
167:Exec Shield
142:Some early
47:feature in
396:"i386 W^X"
326:References
317:JavaScript
77:executable
55:. It is a
547:. Mozilla
525:April 17,
503:April 17,
450:April 29,
188:execstack
610:Category
402:June 19,
228:mprotect
207:mprotect
144:Intel 64
85:mprotect
45:security
551:July 1,
313:Firefox
309:Firefox
276:SELinux
248:Windows
240:OpenBSD
234:History
212:SELinux
199:Firefox
184:runtime
181:library
116:PA-RISC
65:process
43:) is a
429:Manual
286:, and
272:CentOS
264:NetBSD
262:, and
173:Linker
148:NX bit
126:, and
108:x86-64
69:kernel
67:'s or
57:memory
425:Linux
298:macOS
260:Linux
246:) in
152:Intel
124:Alpha
100:SPARC
63:in a
579:2021
553:2024
527:2022
505:2022
452:2016
404:2014
254:and
155:i386
122:'s)
61:page
51:and
252:PaX
128:ARM
114:'s
106:'s
104:AMD
98:'s
96:Sun
71:'s
39:xor
33:W^X
612::
569:.
543:.
496:.
436:^
282:,
230:.
169:.
130:.
110:,
37:W
581:.
555:.
529:.
507:.
482:.
468:.
454:.
431:.
406:.
384:.
370:.
356:.
342:.
41:X
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.