Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

Enabling Inheritance of Security Extension Status

The –i option to the sxadm exec command enables or disables the inheritance of a security extension's configuration.

Example 4  Illustrating Security Extension Inheritance

    This example illustrates inheriting and not inheriting the configuration of the ASLR security extension.

  1. Disable ASLR only for this shell.

    # sxadm exec -s aslr=disable /bin/bash
  2. Verify the randomized heap address from this shell.

    The repeated pmap self command from this shell shows a randomized heap address.

  3. # pmap self | grep heap
    00000054BF32E000 8K rw---i- [ heap ]
    00000054BF330000 64K rw---i- [ heap ]
    # pmap self | grep heap
    0000005B50708000 32K rw---i- [ heap ]
    # pmap self | grep heap
    000000A48D30E000 8K rw---i- [ heap ]
    000000A48D310000 64K rw---i- [ heap ]
  4. Run a shell with ASLR disabled for the shell and any descendant by using the –i option.

    # sxadm exec -i -s aslr=disable /bin/bash
  5. The repeated pmap self command from this shell shows a constant heap address with ASLR disabled:

    # pmap self | grep heap
    0000000080000000         64K rw---i-    [ heap ]
    # pmap self | grep heap
    0000000080000000         64K rw---i-    [ heap ]
    # pmap self | grep heap
    0000000080000000         64K rw---i-    [ heap ]
Example 5  Determining Whether a Binary is Protected by a Security Extension

You can use the elfdump -d command to determine whether a particular binary is compiled with security extensions. The security extensions must be enabled on the system for the binary to be protected. The following output indicates the extensions that are enabled, disabled, and not supported on this hardware:

$ sxadm status
EXTENSION           STATUS                        FLAGS
adiheap             enabled (tagged-files)        u-c--
adistack            enabled (tagged-files)        u-c--
aslr                enabled (tagged-files)        u-c--
hw_bti              enabled                       ---r-
hw_ssb              not supported                 -----
kadi                disabled                      -kcr-
nxheap              enabled (tagged-files)        u-c--
nxstack             enabled (all)                 u-c-- 

The following output shows that the cat command and the ipsecconf command are protected by security extensions.

$ elfdump -d /bin/cat | grep SUNW_SX
     [33]  SUNW_SX_ASLR     0x2        ENABLE
     [34]  SUNW_SX_NXHEAP   0x2        ENABLE
     [35]  SUNW_SX_NXSTACK  0x2        ENABLE
$ elfdump -d /usr/sbin/ipsecconf | grep SUNW_SX
     [35]  SUNW_SX_ASLR     0x2        ENABLE
     [36]  SUNW_SX_NXHEAP   0x2        ENABLE
     [37]  SUNW_SX_NXSTACK  0x2        ENABLE

The following output shows that the userland binaries for DHCP and Secure Shell are protected by security extensions.

$ elfdump -d /usr/sbin/dhcpagent | grep SUNW_SX
     [52]  SUNW_SX_ASLR     0x2        ENABLE
     [53]  SUNW_SX_NXHEAP   0x2        ENABLE
     [54]  SUNW_SX_NXSTACK  0x2        ENABLE
$ elfdump -d /usr/bin/ssh | grep SUNW_SX
     [43]  SUNW_SX_ASLR     0x2        ENABLE
     [44]  SUNW_SX_NXHEAP   0x2        ENABLE
     [45]  SUNW_SX_NXSTACK  0x2        ENABLE