chatr_ia.1 (2010 09)
c
chatr_ia(1)
Integrity Systems Only
chatr_ia(1)
If the stack protection feature described in this section is enabled for a program and that program
attempts to execute code from its stack(s), the HP-UX kernel will terminate the program with a
SIGKILL
signal, display a message referring to this manual page section, and log an error message to the system
message log (use dmesg to view the error message). The message logged by the kernel is:
WARNING: UID # may have attempted a buffer overflow attack. PID #
(program_name) has been terminated. See the ’+es enable’ option of
chatr(1).
If you see one of these messages, check with the program’s owner to determine whether this program is
legitimately executing code from its stack. If it is, you can use one or both of the methods described below
to make the program functional again. If the program is not legitimately executing code from its stack,
you should suspect malicious activity and take appropriate action.
HP-UX provides two options to permit legitimate execution from a program’s stack(s). Combinations of
these two options help make site-specific tradeoffs between security and compatibility.
The first method is the use of the
+es option of chatr and affects individual programs. It is typically
used to specify that a particular binary must be able to execute from its stack, regardless of the system
default setting. This allows a restrictive system default while not preventing legitimate programs from
executing code on their stack(s). Ideally this option should be set (if needed) by the program’s provider, to
minimize the need for manual intervention by whomever installs the program.
An alternate method is setting the kernel tunable parameter,
executable_stack
, to set a system-
wide default for whether stacks are executable. Setting the
executable_stack
parameter to 1 (one)
with
sam (see sam(1M)) tells the HP-UX kernel to allow programs to execute on the program stack(s).
Use this setting if compatibility with older releases is more important than security. Setting the
executable_stack
parameter to 0 (zero), the recommended setting, is appropriate if security is more
important than compatibility. This setting significantly improves system security with minimal, if any,
negative effects on legitimate applications.
Combinations of these settings may be appropriate for many applications. For example, after setting
executable_stack to 0, you may find that one or two critical applications no longer work because
they have a legitimate need to execute from their stack(s). Programs such as simulators or interpreters
that use self-modifying code are examples you might encounter. To obtain the security benefits of a res-
trictive system default while still letting these specific applications run correctly, set
executable_stack
to 0, and run chatr +es enable on the specific binaries that need to execute
code from their stack(s). These binaries can be easily identified when they are executed, because they
will print error messages referring to this manual page.
The possible settings for
executable_stack
are as follows:
executable_stack
= 0 (default)
A setting of 0 (the default value) causes stacks to be non-executable and is strongly preferred
from a security perspective.
executable_stack
= 1
A setting of 1 causes all program stacks to be executable, and is safest from a compatibility
perspective but is the least secure setting for this parameter.
executable_stack = 2
A setting of 2 is equivalent to a setting of 0, except that it gives non-fatal warnings instead of
terminating a process that is trying to execute from its stack. Using this setting is helpful for
users to gain confidence that using a value of 0 will not hurt their legitimate applications.
Again, there is less security protection.
The table below summarizes the results from using the possible combinations of
chatr +es and
executable_stack when executing from the program’s stack. Running chatr +es disable
relies
solely on the setting of the
executable_stack kernel tunable parameter when deciding whether or
not to grant execute permission for stacks and is equivalent to not having run chatr +es on the binary.
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010