1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Protecting Oracle Solaris System Integrity
  3. Protecting Against Malware With Security Extensions
  4. nxstack and noexec_user_stack Compatibility
  5. How to Prevent the Execution of Malicious Code From the Process Stack and Process Heap

How to Prevent the Execution of Malicious Code From the Process Stack and Process Heap

For a description of the security risks of 32-bit executable stacks, see Protecting the Process Heap and Executable Stacks From Compromise.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. View the status of the nxstack and nxheap security extensions.

    For example, on a SPARC platform that supports ADI, the output is similar to the following:

    $ sxadm status
EXTENSION           STATUS                        FLAGS
adiheap             enabled (tagged-files)        u-c--
adistack            enabled (tagged-files)        u-c--
...

    For parseable output, specify the parameters with the -po options: 

    $ sxadm status -po extension,status,configuration
aslr:enabled.tagged-files:enabled.default
nxheap:enabled.tagged-files:enabled.default
nxstack:enabled.all:enabled.default
...
  2. Return the nxheap and nxstack security extensions to the default.

    If the nxheap or nxstack security extensions show values other than the default values, delete the customizations. In the example output, you would run the following commands: 

    # sxadm delcust nxheap
# sxadm status
aslr                enabled (tagged-files)        u-c--
nxheap              enabled (tagged-files)        u-c--
nxstack             enabled (all)                 u-c--

    The logs for nxheap and nxstack are stored in the /var/adm/messages file.

  3. (Optional) To disable the logging of error messages, disable the log property.
    # sxadm set log=disable nxheap
# sxadm set log=disable nxstack
# sxadm get log
EXTENSION           PROPERTY                      VALUE
...
nxstack             log                           disable
nxheap              log                           disable

Troubleshooting: If your nxstack setting is ignored, remove the noexec_user_stack and noexec_user_stack_log system variables from the /etc/system file. Then, enable the nxstack security extension again.

If you disable noexec_user_stack in the /etc/system file but do not remove the entry, binaries that are tagged continue to be protected. This tagged-files configuration allows binaries that can only succeed when their stack is executable to succeed, while protecting most executable stacks from malicious code. For more information, see nxstack and noexec_user_stack Compatibility.