Ubuntu Linux: Turn On Exec-Shield Buffer Overflow Protection

by on May 19, 2013 · 5 comments· LAST UPDATED June 4, 2013

in ,

I am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:

sysctl -w kernel.exec-shield=1
error: "kernel.exec-shield" is an unknown key

How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?

Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
Requirementssysctl
Estimated completion timeN/A
Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:

  1. Random placement of the stack
  2. Random placement of memory regions
  3. Prevention of execution in memory that should only hold data
  4. Handling of text buffers with care and more.

Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:

 
dmesg | grep --color '[NX|DX]*protection'
 

Sample outputs:

Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel

Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel


This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.

Make sure kernel.randomize_va_space enabled

Type the following command:
sysctl -w kernel.randomize_va_space=1
OR, edit the file /etc/sysctl.conf and append/modify as follows:

kernel.randomize_va_space = 1

The randomize_va_space can have any one of the following values:

  • 0 - Do not randomize stack and vdso page.
  • 1 - Turn on protection and randomize stack, vdso page and mmap.
  • 2 - Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.

I highly recommend that you read our faq "Linux Kernel /etc/sysctl.conf Security Hardening Via Sysctl" for more information.

See also
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 5 comments… read them below or add one }

1 Marcello May 20, 2013 at 6:20 am

Hi, thanks for the tip. I have one question, though.
On my machine dmesg says NX protection is active

me@mymachine:~$ dmesg | grep –color ‘[NX|DX]*protection’
[ 0.000000] NX (Execute Disable) protection: active

but sysctl says exec-shield is an unknown key:

sudo sysctl kernel.exec-shield
error: “kernel.exec-shield” is an unknown key

I take this as a hint that NX protection is enabled and I can’t disable it. Am I right ? Thank you.

Reply

2 Marcello May 20, 2013 at 6:22 am

No wait, the article is the very answer to my question! Doh!

Guess that’s what you get if you post before morning coffee reaches your brain cells :-P

Reply

3 GermanG June 6, 2013 at 2:10 pm

That grep works but ignores NX / DX
dmesg | egrep –color ‘(NX|DX).*protection’
or
dmesg | grep –color ‘[ND]X.*protection’

Reply

4 ssergejev August 26, 2013 at 7:03 am

Dear Ubuntuites.

NX bit or emulating one does not in any way give you ASLR to prevent eg ret libc attacks. This guide made the user persuaded by it less secure against anything newer than Phrack issue 41. Not cool.

Love S

Reply

5 ssergejev August 26, 2013 at 7:06 am

Dear Ubuntuites.

NX bit or emulating one does not in any way give you ASLR to prevent eg ret libc attacks. This guide made the user persuaded by it less secure against anything newer than Phrack issue 41. Not cool.

Ps. You mention the extra features in the article then jump to saying its equivalent to NX bit which it’s obviously not. Confusing.

Love S

Reply

Leave a Comment

Tagged as: , , , ,

Previous Faq:

Next Faq: