HPE Community
Operating System - HP-UX
1825775 Members
1968 Online
109687 Solutions
New Discussion

Re: Stop stack smashing attacks

 
Mark Ferraretto
Advisor

‎02-07-2001 03:38 AM

‎02-07-2001 03:38 AM

Stop stack smashing attacks

Hello all,

In sun solaris you can set a kernel parameter called noexec_user_stack which prevents an application's stack from being executable. This helps to prevent buffer overflow attacks. Is there an equivalent parameter that can be set in HP-UX? I'm running HP-UX 11.00.01 on a L2000

Thanks
Mark
0 Kudos
Reply
4 REPLIES 4
Cheryl Griffin
Honored Contributor

‎02-07-2001 05:13 AM

‎02-07-2001 05:13 AM

Re: Stop stack smashing attacks

Mark,
I checked many resources on this.... everything points to a security vulnerability on Solaris, nothing to HP-UX.

I checked with someone who works with kernel stacks and they also have not heard anything of noexec_user_stack OR of anything that makes a stack nonexecutable.

This simply means that currently there is no equivalent to noexec_user_stack in HP-UX and no documented need for it, as of current versions.
"Downtime is a Crime."
0 Kudos
Reply
Mark Ferraretto
Advisor

‎02-07-2001 06:04 PM

‎02-07-2001 06:04 PM

Re: Stop stack smashing attacks

Actually, I think that the vulnerability is a cross-platform one. All applications have a heap and a stack as part of their run-time structure. A stack-smashing attack inserts pointers into the stack and then uses code that executes the code the pointer in the stack refers to. This is a common buffer overflow attack.

A solution is to tell the kernel to make the stack non-executable. This means that code cannot be executed from the stack and so prevents the problem.

On Solaris, you tell the kernel to make the stack non-executable by setting the kernel parameter I described above. I was hoping there might be a similar type of parameter under HP-UX.

If the vulnerability is with Solaris only, then this means that the stack on HP-UX systems is non-executable by default. Can you confirm this?

Thanks
Mark
0 Kudos
Reply
Len Lattanzi
New Member

‎02-07-2001 09:21 PM

‎02-07-2001 09:21 PM

Re: Stop stack smashing attacks

Compile then run the attached GCC program. trampolines are on the stack. Even without executable stack the return address might be smashed to point to a dangerous location (say reboot!)
This example is derived from http://www.uwsg.iu.edu/hypermail/linux/kernel/0006.0/0703.html
0 Kudos
Reply
Magnus Ljung
Occasional Advisor

‎02-07-2001 11:57 PM

‎02-07-2001 11:57 PM

Re: Stop stack smashing attacks

FYI,

HP-UX 11i: New security features

executable_stack Kernel Parameter

It is now possible change the executable_stack tunable kernel parameter
to zero in order to protect program stacks against attacks that cause
buffer overflows.

You can change the executable_stack parameter as follows:

- Use the System Administration Manager (SAM) to change the parameter for
all programs.

- Use chatr(1) with its es option to change the parameter for specific programs.

Changes were made to the kernel execve() function, to virtual memory
code, and to the chatr(1) and elfdump(1) commands.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.