NX bit
NX stands for "no execute", a technology used in CPUs such as Sun's Sparc, Transmeta's Efficeon, and newer 64-bit x86 processors to prevent code from being executed on areas of memory flagged with an NX bit. This feature signifigantly lowers the probability of crackers exploiting buffer overflows and increases overall system security.
An operating system with the ability to emulate and/or take advantage of an NX bit may prevent the stack and heap from being executable, and may prevent executable memory from being writable. This helps to prevent certain buffer overflow exploits from succeeding, particularly those that inject and execute code, such as the Sasser and Blaster worms. These attacks rely on some part of memory, usually the stack, to be both writable and executable; if it is not, the attack fails.
Implementations
Many operating systems implement or have available an NX policy, and some implement or have available NX emulation. Here is a list of such systems in alphabetical order, each with technologies ordered from newest to oldest.
A technology in the OpenBSD operating system, known as W^X, currently takes leverage of NX technology in the AMD64 port, to have W^X fully available in hardware for these systems. W^X also (in current OpenBSD) supports W^X on CPUs without an NX bit.
W^X supports the NX bit on Alpha, AMD64, HPPA, and Sparc processors (but notably, not the Intel EM64T processor, which does not have the NX feature).
OpenBSD 3.3 shipped May 1, 2003, and was the first to include W^X.
Redhat kernel developer Ingo Molnar released a Linux kernel patch named Exec shield to fully utilize the NX bit in supporting CPUs from Intel, AMD, Transmeta and VIA. Molnar also released a patch to supply NX emulation on IA-32 CPUs.
The Exec Shield patch was released to the Linux Kernel Mailing List May 2, 2003; the NX patch was released to the Linux kernel mailing list in June, 2004. Linus Torvalds has taken an interest in the NX patch, and believes it may be wise to have NX enabled by default. NX support for x86 will be merged in Linux 2.6.8.
The PaX NX technology can emulate an NX bit or NX functionality, or use a hardware NX bit. PaX works on CPUs that do not have the NX bit, such as 32 bit x86.
The PaX project originated October 1, 2000. It was later ported to 2.6, and is at the time of this writing still in active development.
The Linux kernel still does not ship with PaX (as of May, 2004); the patch must be merged manually.
The coming Windows XP Service pack 2 and Windows Longhorn will ship with NX capabilities. The service pack can be installed onto existing installations; but future versions of Windows will ship with it preinstalled.