X

News, tips, partners, and perspectives for the Oracle Solaris operating system

New Security Extensions in Oracle Solaris 11.3

Guest Author

In Solaris 11.3, we've expanded the security extensions framework to
give you more tools to defend your installations. In addition to Address
Space Layout Randomization (ASLR), we now offer tools to set a
non-executable stack (NXSTACK) and a non-executable heap (NXHEAP). We've
also improved the sxadm(1M) utility to make it easier to manage security
extension configurations.

NXSTACK

When NXSTACK is enabled, the process stack memory segment is marked
non-executable. This extension defends against attacks that rely on
injecting malicious code and executing it on the stack. You can also
configure NXSTACK to log each time a program tries to execute code on
the stack. Log entries are output to /var/adm/messages.


Very few  non-malicious programs need to execute code on the stack, so
NXSTACK is enabled by default in Solaris 11.3. If you have a program
that needs to execute on the stack and you are able to recompile it, you
can pass the "-z nxstack=disable" flag to Solaris Studio. Otherwise, you
can use sxadm either to disable NXSTACK or set it to work only on tagged
binaries. Most core Solaris utilities are tagged for NXSTACK.


Note that NXSTACK takes the place of the "noexec_user_stack" and
"noexec_user_stack_log" entries in /etc/system. You can still use those
entries to configure non-executable stack, and they will take precedence
over any configuration of NXSTACK. However, they are considered
deprecated and you are encouraged to switch to using NXSTACK through sxadm.

NXHEAP

When NXHEAP is enabled, the brk(2)-based heap memory segment is marked
non-executable. This extension defends against attacks that rely on
injecting code and executing it from the heap. You can also configure
NXHEAP to log each time a program tries to execute code on the heap.
NXHEAP log entries are also written to /var/adm/messages.

Some programs (such as interpreters) do have legitimate reasons to
execute code from the heap, so NXHEAP is enabled by default only for
tagged binaries. Most core Solaris utilities are already tagged for
NXHEAP, and you can tag your own binaries by passing the linker flag "-z
nxheap=enable" when compiling with Solaris Studio. Of course, NXHEAP can
also be enabled or disabled globally with sxadm.

sxadm

We've made all sorts of improvements to sxadm in Solaris 11.3, so I'm
only going to focus on three new subcommands that will help you
configure the new security extensions.

sxadm get

"sxadm get" allows you to observe the properties of security extensions.
For example, NXSTACK and NXHEAP have log properties that show whether or
not logging is enabled for those extensions. You can query the log
property with:

$ sxadm get log nxstack nxheap
EXTENSION           PROPERTY                      VALUE
nxstack             log                           enable
nxheap              log                           enable

And you can get an easily parsable format by passing the "-p" flag:

$ sxadm get -p log nxstack nxheap
nxstack:log:enable
nxheap:log:enable

You can also query all properties (equivalent to "sxadm status") with:

$ sxadm get all
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files
nxstack             model                         all
--                  log                           enable
nxheap              model                         tagged-files
--                  log                           enable

sxadm set

"sxadm set" allows you to set individual properties of extensions
without needing to use "sxadm enable". For example, you can disable
NXSTACK logging with:

$ sxadm get log nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             log                           enable
$ sxadm set log=disable nxstack
$ sxadm get log nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             log                           disable

sxadm delcust

"sxadm delcust" allows you to restore the default configuration for one
or more security extensions. For example:

$ sxadm get all nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             model                         tagged-files
--                  log                           disable
$ sxadm delcust nxstack
$ sxadm get all nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             model                         all
--                  log                           enable

Of course, all of these new subcommands also work with ASLR, even though
it only has one "model" property. For example:

$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files
$ sxadm set model=all aslr
$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         all
$ sxadm delcust aslr
$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files

Conclusion

I hope you've enjoyed this quick introduction to all the work we've put
into the Security Extensions Framework for Solaris 11.3, and I hope
you're able to use some or all of it to meet your organization's
security needs. For a more detailed explanation of sxadm and the
individual security extensions, please see the sxadm(1M) man page.

Join the discussion

Comments ( 1 )
  • guest Wednesday, November 11, 2015

    What's the difference between

    -M /usr/lib/ld/map.noexbss

    and

    -z nxheap=enable

    ?


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.