Posts from 2012

Using exec-shield to protect your Linux servers from stack, heap and integer overflows

I've been a long time follower of the OpenBSD project, and their amazing work on detecting and protecting the kernel and applications from stack and heap overflows. Several of the concepts that were developed by the OpenBSD team were made available in Linux, and came by way of the exec-shield project. Of the many useful security features that are part of exec-shield, the two features that can be controlled by a SysAdmin are kernel virtual address space randomizations and the exec-shield operating mode. Address space randomization are controlled through the kernel.randomize_va_space sysctl tunable, which defaults to 1 on my CentOS systems: The exec-shield operating mode is controlled through the kernel.exec-shield sysctl value, and can be set to one of the following four modes (the descriptions below came from Steve Grubb's excellent post on exec-shield operating modes): A value of 0 completely disables ExecShield and Address Space Layout Randomization > A value of 1 enables them ONLY if the application bits for these protections are set to “enable” > A value of 2 enables them by default, except if the application bits are set to “disable” > A value of 3 enables them always, whatever the application bits The default exec-shield value on my CentoOS servers is 1, which enables exec-shield for applications that have been compiled to support it: To view the list of running processes that have exec-shield enabled, you can run Ingo Molnar and Ulrich Drepper's lsexec utility: In this day and age of continuos security threats there is little to no reason that you shouldn't be using these amazing technologies…