Blog

03/06/2019

Ubuntu Linux: Turn On Exec-Shield Buffer Overflow Protection



I am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:

sysctl -w kernel.exec-shield=1
error: “kernel.exec-shield” is an unknown key

How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?

Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:

  1. Random placement of the stack
  2. Random placement of memory regions
  3. Prevention of execution in memory that should only hold data
  4. Handling of text buffers with care and more.

Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:

dmesg | grep --color '[NX|DX]*protection'

Sample outputs:

Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel

This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.

Make sure kernel.randomize_va_space enabled

Type the following command:
sysctl -w kernel.randomize_va_space=1
OR, edit the file /etc/sysctl.conf and append/modify as follows:

kernel.randomize_va_space = 1

The randomize_va_space can have any one of the following values:

  • 0 – Do not randomize stack and vdso page.
  • 1 – Turn on protection and randomize stack, vdso page and mmap.
  • 2 – Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.

I highly recommend that you read our faq “Linux Kernel /etc/sysctl.conf Security Hardening Via Sysctl” for more information.

See also

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...