Exec Shield
Encyclopedia
Exec Shield is a project started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security
patch for the Linux kernel that emulates an NX bit
on x86 CPUs
that lack a native NX implementation in hardware. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.
The first Exec Shield patch attempts to flag data memory as non-executable and program memory as non-writeable. This suppresses many security exploits, such as those stemming from buffer overflow
s and other techniques relying on overwriting data and inserting code into those structures. Exec Shield also supplies some address space layout randomization
for the mmap
and heap base.
The patch additionally increases the difficulty of inserting and executing shellcode
, rendering most exploits ineffective. No application recompilation is necessary to fully utilize exec-shield, although some applications (Mono
, Wine
, XEmacs
, Mplayer
) are not fully compatible.
Other features that came out of the Exec Shield project were the so-called Position Independent Executables (PIE), the address space randomization patch for Linux kernels, a wide set of glibc internal security checks that make heap and format string exploits near impossible, the GCC Fortify Source feature, and the port and merge of the GCC stack-protector feature.
layouts. If the CS limit is raised, for example by calling mprotect to make higher memory executable, then the protections are lost below that limit. Ingo Molnar
points this out in an e-mail conversation. Fortunately, most applications are fairly sane at this; the stack (the important part) at least winds up above any mapped libraries, so doesn't become executable except by explicit calls by the application.
As of August, 2004, nothing from the Exec Shield projects attempt to enforce memory protections by restricting mprotect on any architecture; although memory may not initially be executable, it may become executable later, so the kernel will allow an application to mark memory pages as both writable and executable at the same time. However, in cooperation with the Security Enhanced Linux project (SELinux), the standard policy for the Fedora Core
distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons.
; the first patch was released by Ingo Molnar
of Red Hat
and first released in May 2003. It is part of Fedora Core 1 through 6 and Red Hat Enterprise Linux 3 (Update 3) and 4. Other people involved include Jakub Jelínek, Ulrich Drepper, Richard Henderson, Arjan van de Ven.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
patch for the Linux kernel that emulates an NX bit
NX bit
The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors...
on x86 CPUs
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
that lack a native NX implementation in hardware. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.
The first Exec Shield patch attempts to flag data memory as non-executable and program memory as non-writeable. This suppresses many security exploits, such as those stemming from buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s and other techniques relying on overwriting data and inserting code into those structures. Exec Shield also supplies some address space layout randomization
Address space layout randomization
Address space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
for the mmap
Mmap
In computing, mmap is a POSIX-compliant Unix system call that maps files or devices into memory. It is a method of memory-mapped file I/O. It naturally implements demand paging, because initially file contents are not entirely read from disk and do not use physical RAM at all...
and heap base.
The patch additionally increases the difficulty of inserting and executing shellcode
Shellcode
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in...
, rendering most exploits ineffective. No application recompilation is necessary to fully utilize exec-shield, although some applications (Mono
Mono (software)
Mono, pronounced , is a free and open source project led by Xamarin to create an Ecma standard compliant .NET-compatible set of tools including, among others, a C# compiler and a Common Language Runtime....
, Wine
Wine (software)
Wine is a free software application that aims to allow computer programs written for Microsoft Windows to run on Unix-like operating systems. Wine also provides a software library, known as Winelib, against which developers can compile Windows applications to help port them to Unix-like...
, XEmacs
XEmacs
XEmacs is a graphical- and console-based text editor which runs on almost any Unix-like operating system as well as Microsoft Windows. XEmacs is a fork, based on a version of GNU Emacs from the late 1980s...
, Mplayer
MPlayer
MPlayer is a free and open source media player. The program is available for all major operating systems, including Linux and other Unix-like systems, Microsoft Windows and Mac OS X. Versions for OS/2, Syllable, AmigaOS and MorphOS are also available. The Windows version works, with some minor...
) are not fully compatible.
Other features that came out of the Exec Shield project were the so-called Position Independent Executables (PIE), the address space randomization patch for Linux kernels, a wide set of glibc internal security checks that make heap and format string exploits near impossible, the GCC Fortify Source feature, and the port and merge of the GCC stack-protector feature.
Implementation
Exec Shield works on all x86 CPUs utilizing the Code Segment limit. Because of the way Exec Shield works, it is very lightweight; however, it won't fully protect arbitrary virtual memoryVirtual memory
In computing, virtual memory is a memory management technique developed for multitasking kernels. This technique virtualizes a computer architecture's various forms of computer data storage , allowing a program to be designed as though there is only one kind of memory, "virtual" memory, which...
layouts. If the CS limit is raised, for example by calling mprotect to make higher memory executable, then the protections are lost below that limit. Ingo Molnar
Ingo Molnar
Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux hacker. He is best known for his contributions to the operating system in terms of security and performance...
points this out in an e-mail conversation. Fortunately, most applications are fairly sane at this; the stack (the important part) at least winds up above any mapped libraries, so doesn't become executable except by explicit calls by the application.
As of August, 2004, nothing from the Exec Shield projects attempt to enforce memory protections by restricting mprotect on any architecture; although memory may not initially be executable, it may become executable later, so the kernel will allow an application to mark memory pages as both writable and executable at the same time. However, in cooperation with the Security Enhanced Linux project (SELinux), the standard policy for the Fedora Core
Fedora (operating system)
Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...
distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons.
History
Exec Shield was developed by various people at Red HatRed Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
; the first patch was released by Ingo Molnar
Ingo Molnar
Ingo Molnár, currently employed by Red Hat, is a Hungarian Linux hacker. He is best known for his contributions to the operating system in terms of security and performance...
of Red Hat
Red Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
and first released in May 2003. It is part of Fedora Core 1 through 6 and Red Hat Enterprise Linux 3 (Update 3) and 4. Other people involved include Jakub Jelínek, Ulrich Drepper, Richard Henderson, Arjan van de Ven.