One of the most common security threats to information systems and the data they protect occurs when an attacker is able to alter his identity and, in so doing, grain control over system resources. Historically, attackers have favored buffer overflows as an attack vector to alter their identity. On UNIX systems attackers typically exploit buffer overflows so that they can assume the identity of the root user. AIX 5L 5300-03 introduces Stack Execution Disable (SED) which prevents the successful exploitation of many types of buffer overflows.
Buffer overflows are the result of programming oversights and can be found in all levels of the software stack. An attacker exploits a buffer overflow by injecting malicious code into various process memory segments and then executing that code under their new identity. As with any security issue, there are several methods to mitigate the risk introduced by buffer overflows. Preventing a system from executing malicious code stops a buffer overflow exploit in its tracks. SED uses functionality introduced in the POWER4 family of processors to prevent code execution in various process memory segments thus thwarting buffer overflow attacks. If an attacker attempts to exploit a buffer overflow a hardware exception is raised to tell SED to terminate the offending program.
SED is highly flexible and configurable. It offers the following features:
- The sedmgr command provides a central administration interface for SED.
- System administrators can activate SED system wide or for a specific list of programs. For example, SED can be activated for all setuid/setgid programs. Additionally, there are cases where a program may have a legitimate reason to execute code in a process memory segment that typically does not contain executable code. For example, many versions of Java use JIT (just-in-time) compilation to produce executable code. In order for these applications to work, they must be allowed to execute code produced on the fly. SED can allow these applications to work while enforcing restrictions on other applications.
- SED can be used in a monitoring mode. Instead of terminating a program, SED can record the program that caused the exception and a system administrator can investigate further. This allows for some normalization to be done before introducing SED into a production environment. This feature could also be used in a honey pot or padded cell environment to study an attacker's actions.
- SED can be used with any application. As stated earlier, buffer overflow conditions can exist at any level of the software stack. The sedmgr command allows system administrators to activate SED protection for any program.
- SED is integrated with existing operating system facilities such as Error-Logging and Trusted Computing Base (TCB). SED uses the AIX Error-Logging facility to record suspicious activity. This information can be used to uncover potential attacks or in computer security incident investigations.
- SED protects against several types of buffer overflow exploits including stack-based and heap-based attacks.
For more information regarding SED see the AIX Security Guide and the sedmgr command documentation.