Ubuntu Linux: Turn On Exec-Shield Buffer Overflow Protection
I
am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:
sysctl -w kernel.exec-shield=1
error: “kernel.exec-shield” is an unknown key
How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?
Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:
Random placement of the stack
Random placement of memory regions
Prevention of execution in memory that should only hold data
Handling of text buffers with care and more.
Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:
dmesg | grep –color [NX|DX]*protection
Sample outputs:
Fig.01: Intel CPU NX protection for buffer overflow enabled on Ubuntu kernel
This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.
Make sure kernel.randomize_va_space enabled
Type the following command:
sysctl -w kernel.randomize_va_space=1
OR, edit the file /etc/sysctl.conf and append/modify as follows:
kernel.randomize_va_space = 1
The randomize_va_space can have any one of the following values:
0 – Do not randomize stack and vdso page.
1 – Turn on protection and randomize stack, vdso page and mmap.
2 – Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.
I highly recommend that you read our faq “Linux Kernel /etc/sysctl.conf Security Hardening Via Sysctl” for more information.
See also
RHEL / CentOS / Fedora LinuxL Disable or Enable ExecShield Buffer Overflows Protection
Ubuntu security features
Man pages: sysctl(8),dmesg(1)