By Kris Kooi-Oracle on Jul 07, 2015
In Solaris 11.3, we've expanded the security extensions framework to give you more tools to defend your installations. In addition to Address Space Layout Randomization (ASLR), we now offer tools to set a non-executable stack (NXSTACK) and a non-executable heap (NXHEAP). We've also improved the sxadm(1M) utility to make it easier to manage security extension configurations.
When NXSTACK is enabled, the process stack memory segment is marked
non-executable. This extension defends against attacks that rely on
injecting malicious code and executing it on the stack. You can also
configure NXSTACK to log each time a program tries to execute code on
the stack. Log entries are output to /var/adm/messages.
Very few non-malicious programs need to execute code on the stack, so NXSTACK is enabled by default in Solaris 11.3. If you have a program that needs to execute on the stack and you are able to recompile it, you can pass the "-z nxstack=disable" flag to Solaris Studio. Otherwise, you can use sxadm either to disable NXSTACK or set it to work only on tagged binaries. Most core Solaris utilities are tagged for NXSTACK.
Note that NXSTACK takes the place of the "noexec_user_stack" and "noexec_user_stack_log" entries in /etc/system. You can still use those entries to configure non-executable stack, and they will take precedence over any configuration of NXSTACK. However, they are considered deprecated and you are encouraged to switch to using NXSTACK through sxadm.
When NXHEAP is enabled, the brk(2)-based heap memory segment is marked non-executable. This extension defends against attacks that rely on injecting code and executing it from the heap. You can also configure NXHEAP to log each time a program tries to execute code on the heap. NXHEAP log entries are also written to /var/adm/messages.
Some programs (such as interpreters) do have legitimate reasons to execute code from the heap, so NXHEAP is enabled by default only for tagged binaries. Most core Solaris utilities are already tagged for NXHEAP, and you can tag your own binaries by passing the linker flag "-z nxheap=enable" when compiling with Solaris Studio. Of course, NXHEAP can also be enabled or disabled globally with sxadm.
We've made all sorts of improvements to sxadm in Solaris 11.3, so I'm only going to focus on three new subcommands that will help you configure the new security extensions.
"sxadm get" allows you to observe the properties of security extensions. For example, NXSTACK and NXHEAP have log properties that show whether or not logging is enabled for those extensions. You can query the log property with:
$ sxadm get log nxstack nxheap EXTENSION PROPERTY VALUE nxstack log enable nxheap log enable
And you can get an easily parsable format by passing the "-p" flag:
$ sxadm get -p log nxstack nxheap nxstack:log:enable nxheap:log:enable
You can also query all properties (equivalent to "sxadm status") with:
$ sxadm get all EXTENSION PROPERTY VALUE aslr model tagged-files nxstack model all -- log enable nxheap model tagged-files -- log enable
"sxadm set" allows you to set individual properties of extensions without needing to use "sxadm enable". For example, you can disable NXSTACK logging with:
$ sxadm get log nxstack EXTENSION PROPERTY VALUE nxstack log enable $ sxadm set log=disable nxstack $ sxadm get log nxstack EXTENSION PROPERTY VALUE nxstack log disable
"sxadm delcust" allows you to restore the default configuration for one or more security extensions. For example:
$ sxadm get all nxstack EXTENSION PROPERTY VALUE nxstack model tagged-files -- log disable $ sxadm delcust nxstack $ sxadm get all nxstack EXTENSION PROPERTY VALUE nxstack model all -- log enable
Of course, all of these new subcommands also work with ASLR, even though it only has one "model" property. For example:
$ sxadm get all aslr EXTENSION PROPERTY VALUE aslr model tagged-files $ sxadm set model=all aslr $ sxadm get all aslr EXTENSION PROPERTY VALUE aslr model all $ sxadm delcust aslr $ sxadm get all aslr EXTENSION PROPERTY VALUE aslr model tagged-files
I hope you've enjoyed this quick introduction to all the work we've put into the Security Extensions Framework for Solaris 11.3, and I hope you're able to use some or all of it to meet your organization's security needs. For a more detailed explanation of sxadm and the individual security extensions, please see the sxadm(1M) man page.