Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Protecting Executable Files From Compromising Security

Programs read and write data on the stack. Typically, they execute from read-only portions of memory that are specifically designated for code. Some attacks that cause buffers on the stack to overflow try to insert new code on the stack and cause the program to execute it. Removing execute permission from the stack memory prevents these attacks from succeeding. Most programs can function correctly without using executable stacks.

Programs can explicitly mark or prevent stack execution. The mprotect() function in programs explicitly marks the stack as executable. For more information, see the mprotect(2) man page.

For how to prevent stacks from being used by malicious programs, see Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.4.

To prevent system compromise by executables in a mounted filesystem, you can use the nosetuid and noexec arguments to the mount command. For more information, see the mount(8) man page.