3.7 Enable Stack Protection - nxheap

Information

Buffer overflow exploits have been the basis for many highly publicized compromises and
defacements of large numbers of Internet connected systems. Many of the automated tools
in use by system attackers exploit well-known buffer overflow problems in vendor-
supplied and third party software.

Rationale:

Enabling stack protection prevents certain classes of buffer overflow attacks and is a
significant security enhancement. However, this does not protect against buffer overflow
attacks that do not execute code on the stack (such as return-to-libc exploits). While
most of the Solaris OS is already configured to employ a non-executable stack, this setting is
still recommended to provide a more comprehensive solution for both Solaris and other
software that may be installed.

Solution

To enable stack protection and block stack-smashing attacks, run the following:

# sxadm delcust nxheap

# sxadm delcust nxstack

See Also

https://workbench.cisecurity.org/files/2582