undefined | Better HN

0 pointsshagie2y ago0 comments

From 2020 https://www.securemac.com/news/arm-macs-faq

> Write XOR execute (W^X)

> Apple Silicon Macs will enforce a restriction called “write XOR execute” (W^X). This means that chunks of memory will be designated as writable, or as executable, but never as both at the same time. Many macOS apps contain performance optimization programs that require memory to be both writable and executable, but this can lead to serious security issues. By enforcing W^X, Apple will harden Mac security at the memory level. App developers, however, won’t be left out in the cold — if they still need those optimization programs for their apps, they can use a new macOS API that provides a way to switch between write and execute permissions quickly and safely.

And the nature of W^X - https://en.wikipedia.org/wiki/W%5EX

> W^X ("write xor execute", pronounced W xor X) is a security feature in operating systems and virtual machines. It is a memory protection policy whereby every page in a process's or kernel's address space may be either writable or executable, but not both. Without such protection, a program can write (as data "W") CPU instructions in an area of memory intended for data and then run (as executable "X"; or read-execute "RX") those instructions. This can be dangerous if the writer of the memory is malicious. W^X is the Unix-like terminology for a strict use of the general concept of executable space protection, controlled via the mprotect system call.

---

See also Porting just-in-time compilers to Apple silicon - https://developer.apple.com/documentation/apple-silicon/port...

And W^X now mandatory in OpenBSD (8 years ago : https://news.ycombinator.com/item?id=11789169 )

0 comments

mike_hearn2y ago

The JVM has worked fine on macOS and Apple Silicon for years. It's not violating W^X. The problem is an undocumented/unannounced and probably unintended change in kernel behavior.

dylan6042y ago

Shouldn't this help zero in on where the issue is located? If it did not occur in the last released beta but it now exists in the released update, doesn't that significantly reduce the footprint of where to search for changes?

shagieOP2y ago

From a discussion on it previously : https://news.ycombinator.com/item?id=39741517 by fweimer

> The signal comes from a safe fetch, which is just a read that allows ignoring the fault as if it never happened. Such a signal is deliver synchronously, so the usual restrictions for asynchronous signal handlers do not apply.

> The code in question takes into account that the value read might be garbage. See the big comment here: https://github.com/openjdk/jdk/commit/29397d29baac3b29083b1b...

> On current CPUs and operating systems, this is not an optimization, so the code was removed earlier this year: https://bugs.openjdk.org/browse/JDK-8320317

(there's a lot more comments further down that are worth reading)

It is known where this is causing a problem and the code was removed a few months ago in the code for Java 23.

acdha2y ago

Java has worked great on Apple Silicon since release and it’s still working great now for most users. The linked post explains that Java is already using the W^X modes but there’s an edge case involving page faults while the JIT is updating pages, which to me seems suspiciously like an attempted security improvement which needed better testing:

https://bugs.java.com/bugdatabase/view_bug?bug_id=8327860

j / k navigate · click thread line to collapse