Configuring and Using Kernel Security Mechanisms

The Linux kernel features some extra security mechanisms that enhance the security of a system. These mechanisms randomize the layout of the address space for a process or prevent code from being run in non-executable memory.

Address Space Layout Randomization

Address Space Layout Randomization (ASLR) can help defeat certain types of buffer overflow attacks. ASLR can find the base, libraries, heap, and stack at random positions in a process's address space, which makes it difficult for an attacking program to predict the memory address of the next instruction. ASLR is built into the Linux kernel and is controlled by the parameter /proc/sys/kernel/randomize_va_space. The randomize_va_space parameter can take the following values:
0

Disable ASLR. This setting is applied if the kernel is booted with the norandmaps boot parameter.

1

Randomize the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions. The base address of the data segment is immediately after the end of the executable code segment.

2

Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.

You can change the setting temporarily by writing a new value to /proc/sys/kernel/randomize_va_space, for example: 

echo value | sudo tee /proc/sys/kernel/randomize_va_space

To change the value permanently, add this setting to /etc/sysctl.conf: 

kernel.randomize_va_space = value

Then, run the sysctl -p command.

If you change the value of randomize_va_space, it's considered good practice to test the application stack to ensure that it's compatible with the new setting.

You can optionally disable ASLR for a specific program and its child processes: 

setarch `uname -m` -R program [args ...]

Data Execution Prevention or No eXecute

The Data Execution Prevention (DEP) feature, also known as No eXecute (NX), prevents an application or service from executing code in a non-executable memory region. Hardware-enforced DEP works in conjunction with the NX bit on compatible CPUs to help prevent certain types of buffer overflow attacks. This feature uses hardware capabilities to protect the system, so it's enabled by default and can't be disabled.

Oracle Linux doesn't emulate the NX bit in software for CPUs that don't implement the NX bit in hardware.

Position Independent Executables

The Position Independent Executables (PIE) feature loads executable binaries at random memory addresses so that the kernel can disallow text relocation. Developers can use this feature to code applications that load at different memory addresses each time the application loads, making it more difficult for an attacker to predict where the application is stored in memory, thereby helping to protect against memory-related exploits.

To generate a position-independent binary:

  • Specify the -fpie option to gcc when compiling.

  • Specify the -pie option to ld when linking.

To test whether a binary or library has been built with PIE enabled, run the following command: 

sudo readelf -d elfname | grep -i flags

The command often indicates whether the PIE flag is set. By default, on Oracle Linux 8 binaries are typically built with this flag set, unless there's a specific reason not to do so, such as a compile issue resulting from setting this option.