Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Disadvantages of non-PAE operating systems


  • Please log in to reply
8 replies to this topic

#1 Al1000

Al1000

  • Global Moderator
  • 8,054 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:49 PM

Posted 09 February 2015 - 08:59 AM

I suppose this would apply to any operating system and not just Linux, but it seems most relevant to Linux because there is such a wide choice of operating systems, and a few of them are/have non-PAE versions.

I would ordinarily go for PAE versions because the CPUs on both of my computers support PAE, but LXLE being designed for older hardware, has a non-PAE kernel to make it compatible with as many older CPUs as possible.

I was looking through dmesg and noticed this:
 

[    0.000000] Notice: NX (Execute Disable) protection cannot be enabled in hardware: non-PAE kernel!
[    0.000000] NX (Execute Disable) protection: approximated by x86 segment limits


So I searched the internet for information and found:
 

The NX bit, which stands for No-eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (code) or for storage of data, a feature normally only found in Harvard architecture processors. However, the NX bit is being increasingly used in conventional von Neumann architecture processors, for security reasons.

An operating system with support for the NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory. The general technique, known as executable space protection, is used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section; this is known as a buffer overflow attack.

http://en.wikipedia.org/wiki/NX_bit


x86 memory segmentation...

In both real and protected modes the system uses 16-bit segment registers to derive the actual memory address. In real mode the registers CS, DS, SS, and ES point to the currently used program code segment (CS), the current data segment (DS), the current stack segment (SS), and one extra segment determined by the programmer (ES).

https://en.wikipedia.org/wiki/X86_memory_segmentation


If I understand this correctly, with operating systems (/kernels) that use PAE support, NX (execute disable) protection is determined by the hardware (CPU), whereas with non-PAE operating systems (/kernels), NX protection is determined by the software (and "programmer").

I wouldn't think this would be a big deal for the average home user, or that it would mean that non-PAE Linux operating systems (/kernels) are insecure. I certainly have no plans to replace LXLE because of this, even though I could use something else that does support PAE instead.

But it does seem that it would mean that operating systems (/kernels) that do support PAE, are more secure than non-PAE versions. So if there is a choice available, and your CPU does support PAE, it would make sense to go for the PAE rather than the non-PAE version of whatever operating system you decide to use.

To check whether your CPU supports PAE, open a terminal and run the following command.
 

sudo lshw | grep -i pae

Give the command a few seconds to run, as it has to gather information about the hardware. When it has finished and you are returned to the command prompt, if there was any output, then your CPU supports PAE.
 

al@puppypc:~$ sudo lshw | grep -i pae

[sudo] password for al:

          capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt 3dnowext 3dnow up lahf_lm vmmcall cpufreq

al@puppypc:~$


Edited by Al1000, 09 February 2015 - 09:00 AM.


BC AdBot (Login to Remove)

 


#2 paul88ks

paul88ks

  • Members
  • 1,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:12:49 PM

Posted 09 February 2015 - 04:13 PM

http://en.wikipedia.org/wiki/Physical_Address_Extension   I found this article to be of great help!



#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:49 PM

Posted 19 February 2015 - 12:06 AM

Using the command that Al1000, provided above, this is what my main PC comes back with. 

 

 

cat@cat-XPS-8700 ~ $ sudo lshw | grep -i pae

[sudo] password for cat: 
          capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cpufreq
cat@cat-XPS-8700 ~ $ 
 

 

Though I don't know what all of that means, by a long shot, it's far more detailed than a Speccy report from a Windows OS. Even more than what Intel says on their spec sheet for the chip. 

 

http://ark.intel.com/products/75122/Intel-Core-i7-4770-Processor-8M-Cache-up-to-3_90-GHz

 

Now, if I can only manage this one last major upgrade, and have 4.0GHz w/out resorting to overclocking. 

 

http://ark.intel.com/products/80807/Intel-Core-i7-4790K-Processor-8M-Cache-up-to-4_40-GHz

 

I agree with the OP, a PAE enabled system is more secure & far more compatible than having to resort to non-PAE or worse yet, a --forcepae installed OS. The one machine where I've tried this several times just doesn't get along with the last approach, and there was even a couple of minor issues with the non-PAE version of Ubuntu 12.04. Yes it runs, but not like that of a modern CPU with PAE out of the box. 

 

Those with 64 bit CPU's (even the older ones) doesn't have this to worry about. 

 

Cat

 

 


Edited by cat1092, 19 February 2015 - 12:06 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 Al1000

Al1000
  • Topic Starter

  • Global Moderator
  • 8,054 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:49 PM

Posted 19 February 2015 - 03:21 AM

Though I don't know what all of that means, by a long shot

Neither do I. I probably wouldn't even had heard of PAE if not for you talking about it on this forum. The command just searches the output of lshw for the string "pae" (regardless of whether it's upper or lower case), and prints any lines in their entirety that contain the string.

The only other part of that output that means anything to me is "cpufreq" which I think tells you that the CPU is capable of running at different frequencies. I notice in Conky that the CPU frequency on my laptop changes between 800MHz, 1600 MHz and 1800MHz depending on load. Most operating systems seem to do this by default, except Puppy, where you have to use its CPU Frequency Scaling Tool - which is how I found out about CPU frequency scaling.

Edited by Al1000, 19 February 2015 - 03:26 AM.


#5 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:49 PM

Posted 19 February 2015 - 04:12 AM

There's a manual CPU Frequency Scaling option to use on Ubuntu based Linux versions also, otherwise the CPU would run at default values (on demand). Mine can be adjusted from 0.80GHz to 3.40GHz Turbo Mode, which is different from 3.40Ghz. The Turbo Mode would make use of that area between 3.40 & 3.90GHz that's available. If one wants to keep it simple, Conservative, Powersave, Performance & Ondemand (default) can be used. Normally I'll leave it at Ondemand, when running VM's will set it to Performance. 

 

How to get 'cpufreq'? Copy/paste the below command in the Terminal. You'll have an applet to show/change this. Source is Tip #22 on the link below the command, many Ubuntu 14.04 tips, which also works perfect on Linux Mint 17.1 is there. Actually, this is an older tip, some has pushed it for saving power on notebooks for longer battery life/reduced heat. 

 

sudo apt-get install indicator-cpufreq

 

http://www.noobslab.com/2014/08/useful-panel-indicators-collection-for.html

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:49 AM

Posted 19 February 2015 - 04:21 AM

CPU Frequency Scaling Tool

CpuFreq indicator applet for displaying and changing CPU frequency on-the-fly. It provides the same functionality as the Gnome CPU frequency applet, but doesn't require Gnome panel and works under Unity.
 
To install CpuFreq indicator in Ubuntu/Linux Mint open Terminal (Press Ctrl+Alt+T) and copy the following commands in the Terminal:

sudo apt-get install indicator-cpufreq

I use CpuFreq indicator.

146-workspace-1_004.png

 



#7 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:01:49 PM

Posted 19 February 2015 - 06:59 AM

PAE relates to memory management in the OS;  the more things the hardware can do means the less you need to simulate or not do in software.

CPUs that have a 32 bit address bus can access 2^31-1 addresses in a linear fasion (4GB)  PAE uses 36 bits, but the extra 4 bits don't work in linear fashion, they are similar to the old segment registers.  In PAE enabled CPUs you get extra features in the hardware by enabling it;  the don't execute bit is one of them.  This winds up getting used/set by Page Table Entries that are used to map physical locations into virtual locations, so by having the hardware do the don't execute that means you don't have to emulate it in software (each process has memory locations associated with it, page table entries do the mapping, if you are emulating don't execute you wind up in software checking each address every time you try to execute code at that address.  Yes this is a simplified explanation).  Software emulation is not going to be a speedy as hardware execution.  Doing something in software is never as secure as doing something in hardware, if the feature is turned off, then it's obviously less secure.

 

CPU Frequency:  power saving, heat generating, noise (run faster use more power generate more heat fan runs faster).  Long time ago CPUs basically ran at one frequency;  yes they could be up or down clocked by once running they typically ran at a single frequency.  As laptops and mobile devices became more popular, users demanded better battery life, lower heat, etc, so CPU makers started implementing dynamic frequencies:  good for reducing power/heat, but causes some fun in the OS itself.  Think timers and timing.  What if you have a real time process that needs to do something on a 10ms period, something like say audio?  Easy if you have a constant clock, but now you allow the user to start mucking around with that?  Your 10ms could become 12 or 8.  A way around that is to have an independent timing source (pretty much all computers have that now).


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#8 JohnC_21

JohnC_21

  • Members
  • 24,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:49 PM

Posted 19 February 2015 - 03:43 PM

Here is my output on a old Athlon XP 3000+ running Ubuntu. Notice it has no SSE2 instruction set. Cannot run Chrome because after v35 it only supports CPU's with SSE2. Also it does not have NX.

 

[sudo] password for johnc:
          capabilities: fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 mmx fxsr sse syscall mmxext 3dnowext 3dnow vmmcall cpufreq

 

 



#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:49 PM

Posted 20 February 2015 - 12:42 AM

 

 

 Doing something in software is never as secure as doing something in hardware, if the feature is turned off, then it's obviously less secure.

 

Most all Windows OS's has an extra option in the 'Performance' tab, to enable hardware Data Execution Prevention (user will be shown if it's available). This is supposed to halt many attacks, however I'm not sure how effective this is, nor what exactly what this blocks, nor how many consumers enables the option. My DEP setting are enabled on all of my computers, though many consumers never bothers to open the access tab, other than to reduce pagefile size to install a SSD. It's true that built in hardware security across the board is best over software, and why the mainstream version of Ubuntu 12.04 onwards (& most derivatives, excent Linux Mint 13) enforced PAE, don't know about NX. Microsoft followed the trend, making PAE & NX a requirement for Windows 8 onwards. 

 

So how do we get the equivalent of DEP on a Linux OS's CPU to working? Or is already enabled? 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users