executable_stack(5) Page 1 of 2

United States-English

Search:
More options
» Contact HP
i Manual n
j
k
l
m
n j Technical documentation - English n
k
l
m j All of HP US
k
l
m
HP-UX Reference > e

executable_stack(5)
Tunable Kernel Parameters
HP-UX 11i Version 1.6: June 2002

» Technical documentation » Table of Contents » Index

» Feedback
« prev next »

NAME

executable_stack — controls whether program stacks are executable by default

VALUES

Failsafe

Default

Allowed values

0-2

Recommended values

0-2

DESCRIPTION

This tunable parameter controls whether program stacks are executable by default. It allows systems
to be configured to have extra protection from stack buffer overflow attacks without sacrificing system
performance. This class of attack very commonly attempts to trick privileged programs into
performing unauthorized actions or giving unauthorized access. Background information on this type
of attack is available on the web by searching for 'Smashing the Stack for Fun and Profit.'

The majority of programs that run on HP-UX do not need to execute code located on their stacks. A
few programs, notably some simulators, interpreters and older versions of Java, may have a
legitimate reason to execute code from their stacks. These programs typically have self-modifying
code. Using a combination of this tunable and the +es option of the chatr command permits such
executables to function without sacrificing protection for the rest of the system.

Refer to the 'Restricting Execute Permission on Stacks' section of the chatr(1) manpage for more
information before changing this tunable.

Who is Expected to Change This Tunable?

Anyone.

Restrictions on Changing

Changes to this tunable take effect for new processes started after the change.

When Should the Value of This Tunable Be Changed?

This tunable controls operational modes rather than data structure sizes and limits. The appropriate
setting for a system depends on whether you consider security or compatibility to be most important.

A value of 1 is compatible with previous releases of HP-UX, but it is the least secure. This setting
permits the execution of potentially malicious code located on a program's stack.

A value of 2 provides warnings about any program attempting to execute code on its stacks, but does
not alter the program's behavior. Suspicious activity is logged in the kernel's message buffers. (See

http://docs.hp.com/en/B3921-90010/executable_stack.5.html 10/19/2010
executable_stack(5) Page 2 of 2

dmesg(1M).) This is a 'trial mode' setting intended to allow you to safely determine whether a tunable
value of 0 would affect any legitimate application.

A tunable value of 0 is the recommended setting on systems where a higher level of security is
important. This is essentially the same as a setting of 2, but it will also terminate any process that
attempts to execute code on its stacks. The process will be terminated before the potentially
malicious code is executed.

What Are the Side Effects of Changing the Value

This tunable has no effect on system behavior unless an application attempts to execute instructions
located on its stacks. The majority of HP-UX applications are not programmed to do this.

What Other Tunable Values Should Be Changed at the Same Time?

None.

WARNINGS

None. All HP-UX kernel tunable parameters are release specific. This parameter may be removed or
have its meaning changed in future releases of HP-UX.

AUTHOR

executable_stack was developed by HP.

« prev next »

eqmemsize f

Printable version

Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2002 Hewlett-Packard Development Company, L.P.

http://docs.hp.com/en/B3921-90010/executable_stack.5.html 10/19/2010