Manualshelf

HP-UX 11i Version 1.6 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
81828384858687888990
Commands and System Calls
execve() System Calls
Chapter 6
90
Documentation
The execve (2) and secure_sid_scripts (5) manpages have been updated appropriately, see
the manpage of each for more information.
Buffer Overflow Protection
With this release, applications are not allowed to execute code from their stack segment
by default. Executing code on stack is one of the most common exploits on UNIX
systems; turning off this feature protects against buffer overflow.
Details of Change
Beginning in HP-UX 11i v1.5, HP-UX supported a kernel tunable parameter
executable_stack
that controlled whether applications were permitted to execute code
located on their stack(s). In the initial release, this tunable parameter was disabled by
default, for maximum compatibility. In HP-UX 11i v1.6, executable stacks are disabled
by default, providing substantial protection from many common security exploits
without hurting system performance
Impact
Well over 99% of legitimate applications will not be affected by this change. Some
legitimate Java-based applications may not function. Often, this is a sign that the
application is missing a critical Java security patch. A few legitimate applications that
use self-modifying code, such as some simulators and interpreters, may also be affected.
Compatibility
Any application that attempts to execute code on its stack(s) is terminated with a
SIGKILL signal. An error message, similar to the following, is generated to the
syslog.log file and to the controlling terminal of the offending process:
PID 18459 has been terminated. See the '+es enable' option of chatr(1).
If a message similar to this appears, the /var/adm/syslog/syslog.log will also
contain an error message similar to this:
UID 7 PID 18459 may have attempted a buffer overflow attack.
cmd: /abc/estack
Performance
There is no impact to performance.
Obsolescence
Not applicable.
Documentation
Please refer to the Restricting Execute Permission on Stacks section of the chatr (1)
manpage, as well as, executable_stack (5) for additional advice on the use of this feature.