Ubuntu Linux: Turn On Exec-Shield Buffer Overflow Protection

Posted on in Categories , last updated June 4, 2013

I am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:

sysctl -w kernel.exec-shield=1
error: “kernel.exec-shield” is an unknown key

How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?

Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:

  1. Random placement of the stack
  2. Random placement of memory regions
  3. Prevention of execution in memory that should only hold data
  4. Handling of text buffers with care and more.

Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:

dmesg | grep --color '[NX|DX]*protection'

Sample outputs:

Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel
Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel

This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.

Make sure kernel.randomize_va_space enabled

Type the following command:
sysctl -w kernel.randomize_va_space=1
OR, edit the file /etc/sysctl.conf and append/modify as follows:

kernel.randomize_va_space = 1

The randomize_va_space can have any one of the following values:

  • 0 – Do not randomize stack and vdso page.
  • 1 – Turn on protection and randomize stack, vdso page and mmap.
  • 2 – Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.

I highly recommend that you read our faq “Linux Kernel /etc/sysctl.conf Security Hardening Via Sysctl” for more information.

See also

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

5 comment

  1. Hi, thanks for the tip. I have one question, though.
    On my machine dmesg says NX protection is active

    me@mymachine:~$ dmesg | grep –color ‘[NX|DX]*protection’
    [ 0.000000] NX (Execute Disable) protection: active

    but sysctl says exec-shield is an unknown key:

    sudo sysctl kernel.exec-shield
    error: “kernel.exec-shield” is an unknown key

    I take this as a hint that NX protection is enabled and I can’t disable it. Am I right ? Thank you.

  2. Dear Ubuntuites.

    NX bit or emulating one does not in any way give you ASLR to prevent eg ret libc attacks. This guide made the user persuaded by it less secure against anything newer than Phrack issue 41. Not cool.

    Love S

  3. Dear Ubuntuites.

    NX bit or emulating one does not in any way give you ASLR to prevent eg ret libc attacks. This guide made the user persuaded by it less secure against anything newer than Phrack issue 41. Not cool.

    Ps. You mention the extra features in the article then jump to saying its equivalent to NX bit which it’s obviously not. Confusing.

    Love S

Leave a Comment