W^X Mechanism (continued..) In summary, to get to W^X on cpus supporting a per-page X bit: Sigtramp moves out of the stack GOT/PLT becomes non-writeable (moved into own pages) dtor/ctor becomes non-writeable (moved into other pages) But the i386 needs: Code segment limit set at 512MB All executable parts moved below, all writeable parts moved above powerpc: Similar tricks as the i386, but more complicated ... but not yet written Maybe W^X inside the kernel, in the future? :) IMPROVES PERFORMANCE: Some architectures sped up (due to TLB colouring) IMPROVES SECURITY: Even partial W^X finds software bugs VERY LOW COST: All OS vendors should be heading in this direction