1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Protecting Oracle Solaris System Integrity
  3. Protecting Against Malware With Security Extensions
  4. ADI-Based Stack Protection Using adistack

ADI-Based Stack Protection Using adistack

The SPARC M7, SPARC M8, SPARC S7, SPARC T7, and SPARC T8 processors support Application Data Integrity (ADI), a hardware feature that helps prevent software exploitation threats such as linear buffer overflows and stray pointer dereferences.

The adistack security extension manages and supports ADI-based detection of stack buffer overflows. These overflows can overwrite the register save area of a stack frame in a SPARC 64-bit user process. When active, adistack, together with ADI, leverages SPARC register window spill and fill handling to detect this type of buffer overflow and generate SEGV signals.

adistack is not enabled by default. Applications can enable adistack through binary tagging, supported by the following linker option: 

-z sx=adistack[=enable|disable]

For more information about this option, see Example 2-3, Specifying Per-Object Security Extensions and the ld(1) man page.

Note:

The model=all property is not supported for adistack because some applications or interpreted languages may directly read or modify their own stack. In particular, C++ and Java applications do not yet support adistack.

For more information, see Protecting Against Malware With Security Extensions and the sxadm(8) man page.

Example 2-3 Compiling an Application With adistack Enabled

Using a basic makefile with the linker option, this example specifies adistack as a per-object security extension with the extension mode set to enable.

Specify a makefile rule that describes a dependency and how to resolve it as follows:

CFLAGS=-m64 -O
LDFLAGS = -z sx=adistack=enable

prog: prog.o
	${CC} ${CFLAGS} ${LDFLAGS} -o prog prog.o

In this example:

  • The CFLAGS variable specifies that the object created will be a 64-bit object.

  • The LDFLAGS variable enables adistack as a security extension for the object created.

  • The prog binary depends on the existence of the prog.o object file. prog.o depends on prog.c.

Using the preceding makefile rule, you can execute the following command to fulfill the dependencies and create the prog binary with adistack enabled: 

$ make

Without writing the makefile rule, you would execute the following commands to enable adistack: 

$ cc -m64 -O  -c  prog.c
$ cc -m64 -O -z sx=adiheap=enable -o prog prog.o

For more information, see the make(1S) and the cc(1) man pages.