The passing of large amounts of data to a program
is called a stack buffer overflow attack. Usually, the data contains commands that the program is tricked
into executing. These attacks are used to gain unauthorized access
to the system, to destroy or alter data, or to cause denial of service
to legitimate users.
To monitor for stack buffer overflow attacks, watch
for the following changes:
A setuid program executing other
programs.
A program unexpectedly gaining a user ID of zero (0).
The user ID of zero is for superuser or root only.
To prevent stack buffer overflow attacks:
Enable the executable_stack kernel tunable parameter.
Use the chatr +es command.
The executable_stack kernel
tunable parameter enables you to prevent a program from executing
code from its stack. This guards against an intruder passing illegal
data to a program, thereby causing the program to execute arbitrary
code from its program stack.
The executable_stack kernel
tunable parameter globally enables or disables stack buffer overflow
protection. A setting of 0 (zero) causes stacks
to be nonexecutable and is preferred for security reasons. By default,
for backward compatibility, executable_stack is set to 1, which allows stack execution and
therefore no protection. Use HP SMH or the kmtune command to change the value of executable_stack.
An additional way to manage stack buffer overflow
protection is to use the +es option of the chatr command. For example, if executable_stack is set to zero but a program does need to execute its stack, use
the following chatr command to allow stack execution
for that program:
# chatr
-es enable program
For more information, see chatr(1), kmtune(1M), and executable_stack(5).
Printable version
