SUMMARY: Non Executable Stack

From: Michael Cunningham (malice@exit109.com)
Date: Thu Dec 02 1999 - 03:42:10 CST


Thanks go out to:

Tim Carlson
Klaus Sellerberg
Craig Mertens
Duncan Phillips
Daniel Muino
Alex Shepard
Tim Evans
Allan West
Charlie Giannetto
Bryan Blackburn
Vilain, Sam
David Foster
Mike Fisher
Rick Robino
Unixboy@aol.com
Edwards Philip M C
DAVID,Anthony
Brad Young
sysadm@its.brooklyn.cuny.edu
John Weekley
Haydee Y. Ching
Alex STEPNEY
Brian Scanlan
Marie-Francoise Thiry
Morgan Sarges
Paul Pescitelli
David H. Brierley

Evidently I am the only admin who didnt know this off the top of his
head:) I will have to check out sunworldonline more often...

Some of the responses I received..
-------------------------------------------------------------
Here are the entries you need in /etc/system
* Disable stack execution and log attempts
        set noexec_user_stack = 1
* Log attempted exploits
        set noexec_user_stack_log = 1
------------------------------------------------------------
A pointer to a faq that explains this..

http://www.sunworld.com/sunworldonline/common/security-faq.html#Q2.30
-----------------------------------------------------------
With 2.6 or greater on sun 4m, 4u, and 4d architectures, you can 'set
noexec_user_stack=1' to turn off execute permissions on the stack. This
won't protect against all exploits (such as those that overwrite data
segment pages with arbitrary data), but is effective against standard
buffer overflows.

However, killing execute permissions on your stack can have ...
unpredictable effects on certain programs, especially compilers.
Shouldn't be a problem on a production system, though. Still, test and
test again, as per the usual.
        
Also, I believe that stacks are no longer executable under 64-bit Solaris
7 processes. Take *that* advice for what it's worth, though.
-------------------------------------------------------------------
By default, the Solaris kernel maps the system stack RWX; this
behaviour is mandated by the SPARC V8 ABI. Since an non-executable
stack gets in the way of certain classes of security bug exploits, a
feature was added to Solaris 2.6 that allows system administrators to
remove the "X" protection from the stack.

To enable this feature, add the following to /etc/system:

                       * Foil certain classes of bug exploits
                       set noexec_user_stack = 1

                       * Log attempted exploits
                       set noexec_user_stack_log = 1
        
This is no general "cure-all" protection for buffer overflow exploits.
It may also break certain SPARC V8 ABI conforming programs.

This feature also requires hardware support; it is only available on
UltraSPARC (sun4u), sun4d and sun4m systems.
---------------------------------------------------------------------

Orignial Question..

On Wed, Nov 24, 1999 at 11:39:29AM -0500, Michael Cunningham wrote:
>
> Hiya all..
>
> A while back I remember seeing a tidbit flow across this list
> reguarding a modification to /etc/system that would prevent
> execution on the user stack stopping some buffer overflows.
> Any idea what it should be? I looked in the archives but couldnt find
> anything..
>
> Thanks Mike.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:34 CDT