Preventing security breaches with ExecShield

ExecShield is designed to prevent security breaches caused by software programs written to crawl
through the Internet looking for systems with common vulnerabilities such as worms and viruses. It is enabled in the kernel and works in a way that is non intrusive to the user. Its goal is not to defend against the expert hacker who has broken into your local network or an employee inside the company who already has access to parts of the network. Its goal is to prevent against intruders using scripts that look for vulnerabilities in the way a program running with root privileges is written.

How ExecShield works

One of the ExecShield memory-management techniques is using random memory locations each time a program is started. Using random memory locations prevents worms or viruses from knowing which parts of memory to overwrite with executables that breach the security of the system.

For example, if the same memory location is used by a program every time the program is run, a hacker can write a virus that waits until the program has written to memory and then overwrites that part of the memory. When the program goes to execute the instructions in memory at a later time, the virus has already overwritten it, and the code from the virus is executed instead. The virus code is executed with whatever permissions the program has. If the program is being run as the root user, significant damage can be done to the system or confidential data stored on the system can be sent to another computer over the network on the Internet.

ExecShield combats this with two features:
. Ascii Zone
. Address Space Randomization

Determinig status of ExecShield

ExecShield is enabled by default in the Red Hat Enterprise Linux kernel. To verify that ExecShield is enabled, execute the following command:
# cat /proc/sys/kernel/exec-shield
If it returns the value of 1, ExecShield is enabled. The value of 0 means it is disabled. You can also determine the status of ExecShield by executing the following command, but this command must be run as the root user:
# sysctl -a | grep exec-shield
If it returns the following, ExecShield is enabled:
kernel.exec-shield = 1
Again, a value of 0 indicates that ExecShield is disabled.

Disabling ExecShield

ExecShield can be disabled by using sysctl or modifying the boot loader configuration file to set the exec-shield kernel parameter to 0.

To disable ExecShield using sysctl, execute the following command:
# sysctl -w kernel.exec-shield=0
ExecShield is disabled immediately. However, executing this command alone does not disable ExecShield on subsequent reboots. To disable ExecShield for all reboots, add the following line to /etc/sysctl.conf (as root):
kernel.exec-shield = 0
Changes made to this file are not enabled until a reboot occurs, because the file is only read once during system startup. To enable the change immediately, the sysctl -w kernel.exec-shield=0 command still needs to be executed.

Another way to disable ExecShield at boot time is to add a boot parameter and value to the boot loader configuration file. For x86 and x86_64 systems that use GRUB as the boot loader, append the following line to the kernel line in /etc/grub.conf (as root):
exec-shield=0
NOTE: If the same boot parameter is set in /etc/grub.conf and in /etc/sysctl.conf, the value from sysctl.conf takes precedence. If you add boot parameters to the GRUB configuration file, make sure there aren’t any conflicting settings in /etc/sysctl.conf.