# Exec Shield > Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Exec_Shield > Markdown URL: https://mediated.wiki/source/Exec_Shield.md > Source: https://en.wikipedia.org/wiki/Exec_Shield > Source revision: 1268856958 > License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/) Project aiming to reduce the risk of attacks on Linux systems This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Exec Shield" – news · newspapers · books · scholar · JSTOR (September 2007) (Learn how and when to remove this message) **Exec Shield** is a project started at [Red Hat](/source/Red_Hat), Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a [security](/source/Computer_security) patch for the [Linux kernel](/source/Linux_(kernel)) that emulates an [NX bit](/source/NX_bit) on [x86](/source/X86) [CPUs](/source/Central_processing_unit) that lack a native NX implementation in hardware. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield. The first Exec Shield patch attempts to flag data memory as non-executable and program memory as non-writeable. This suppresses many [security exploits](/source/Exploit_(computer_science)), such as those stemming from [buffer overflows](/source/Buffer_overflow) and other techniques relying on overwriting data and inserting code into those structures. Exec Shield also supplies some [address space layout randomization](/source/Address_space_layout_randomization) for the [mmap](/source/Mmap)() and heap base. The patch additionally increases the difficulty of inserting and executing [shellcode](/source/Shellcode), rendering most exploits ineffective. No application recompilation is necessary to fully utilize exec-shield, although some applications ([Mono](/source/Mono_(software)), [Wine](/source/Wine_(software)), [XEmacs](/source/XEmacs), [Mplayer](/source/Mplayer)) are not fully compatible. Other features that came out of the Exec Shield project were the [Position Independent Executables](/source/Position-independent_code) (PIE), the address space randomization patch for Linux kernels, a wide set of glibc internal security checks that make heap and format string exploits near impossible, the GCC [Fortify Source](https://en.wikipedia.org/w/index.php?title=Fortify_Source&action=edit&redlink=1) feature, and the port and merge of the GCC [stack-protector](/source/Buffer_overflow_protection#GCC_Stack-Smashing_Protector_.28ProPolice.29) feature. ## Implementation Exec Shield works on all x86 CPUs utilizing the Code Segment limit. Because of the way Exec Shield works, it is very lightweight; however, it won't fully protect arbitrary [virtual memory](/source/Virtual_memory) layouts. If the CS limit is raised, for example by calling mprotect() to make higher memory executable, then the protections are lost below that limit. [Ingo Molnar](/source/Ingo_Molnar) points this out in an e-mail conversation. Most applications are fairly sane at this; the stack (the important part) at least winds up above any mapped libraries, so does not become executable except by explicit calls by the application. As of August, 2004, nothing from the Exec Shield projects attempt to enforce memory protections by restricting [mprotect](/source/Mprotect)() on any architecture; although memory may not initially be executable, it may become executable later, so the kernel will allow an application to mark memory pages as both writable and executable at the same time. However, in cooperation with the [Security-Enhanced Linux](/source/Security-Enhanced_Linux) project (SELinux), the standard policy for the [Fedora Core](/source/Fedora_(operating_system)) distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons. ## History Exec Shield was developed by various people at Red Hat; the first patch was released by [Ingo Molnar](/source/Ingo_Molnar) of Red Hat and first released in May 2003. It is part of Fedora Core 1 through 6 and Red Hat Enterprise Linux since version 3.[1][2] Other people involved include Jakub Jelínek, [Ulrich Drepper](https://en.wikipedia.org/w/index.php?title=Ulrich_Drepper&action=edit&redlink=1), Richard Henderson and Arjan van de Ven. Molnar commented in 2007 on [LWN.net](/source/LWN.net) that "bits of [exec-shield] went upstream, but a fair chunk didn't."[3] ## See also - [Free and open-source software portal](https://en.wikipedia.org/wiki/Portal:Free_and_open-source_software) - [NX bit](/source/NX_bit) - [Openwall](/source/Openwall) - [StackGuard](/source/StackGuard) - [W^X](/source/W%5EX) ## References 1. **[^](#cite_ref-1)** ["Fedora Core 1 Release Notes"](https://web.archive.org/web/20031202145058/http://fedora.redhat.com/docs/release-notes/). *Red Hat, Inc*. November 2003. Archived from [the original](https://docs.fedoraproject.org/release-notes/fc1/x86/) on 2003-12-02. Retrieved 2007-10-18. 1. **[^](#cite_ref-2)** van de Ven, Arjan (August 2004). ["New Security Enhancements in Red Hat Enterprise Linux v.3, update 3"](https://web.archive.org/web/20050512030425/http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf) (PDF). *Red Hat, Inc*. Archived from [the original](http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf) (PDF) on 2005-05-12. Retrieved 2007-10-18. 1. **[^](#cite_ref-3)** ["time it takes to get a project into the upstream kernel \[LWN.net\]"](https://lwn.net/Articles/242912/). *lwn.net*. ## External links - [Ingo Molnar's Exec Shield patch web page](http://people.redhat.com/mingo/exec-shield/) [Archived](https://web.archive.org/web/20160304193747/http://people.redhat.com/mingo/exec-shield/) 2016-03-04 at the [Wayback Machine](/source/Wayback_Machine), includes documentation in the file [ANNOUNCE-exec-shield](http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield) [Archived](https://web.archive.org/web/20040805092843/http://people.redhat.com/mingo/exec-shield/ANNOUNCE-exec-shield) 2004-08-05 at the [Wayback Machine](/source/Wayback_Machine) - [Newsforge Feature Article](https://web.archive.org/web/20050207064757/http://www.newsforge.com/os/03/05/02/1914223.shtml?tid=23) - [Red Hat Magazine Feature/Project Article](https://web.archive.org/web/20070208094418/http://www.redhat.com/magazine/009jul05/features/execshield/) - [Negative security issues with ExecShield](http://seclists.org/dailydave/2007/q2/107) v t e Linux kernel Organization Kernel Linux Foundation Linux Mark Institute Linus's law Tanenbaum–Torvalds debate Tux SCO disputes Linaro GNU GPL v2 menuconfig Supported computer architectures Version history Criticism Support Developers The Linux Programming Interface kernel.org LKML Linux conferences Users Linux User Group (LUG) People Werner Almesberger H. Peter Anvin Jens Axboe Moshe Bar Suparna Bhattacharya Andries Brouwer Rémy Card Alan Cox Matthew Garrett Avi Kivity Con Kolivas Greg Kroah-Hartman Robert Love David S. Miller Ingo Molnár Andrew Morton Hans Reiser Rusty Russell Shuah Khan Linus Torvalds Theodore Ts'o Stephen Tweedie Harald Welte Chris Wright Technical Debugging CRIU ftrace kdump Linux kernel oops SystemTap BPF eBPF Startup vmlinux System.map dracut initrd initramfs ABIs Linux Standard Base x32 ABI APIs Kernel System Call Interface POSIX ioctl select open read close sync … Linux-only futex epoll splice dnotify inotify readahead … In-kernel ALSA Crypto API io_uring DRM kernfs Memory barrier New API RCU Video4Linux IIO Userspace Daemons, File systems bpffs configfs devfs devpts debugfs FUSE hugetlbfs pipefs procfs securityfs sockfs sysfs tmpfs systemd udev Kmscon binfmt_misc Wrapper libraries C standard library glibc uClibc Bionic libhybris dietlibc EGLIBC klibc musl Newlib libcgroup libdrm libalsa libevdev libusb liburing Components Kernel modules BlueZ cgroups Console bcache Device mapper dm-cache dm-crypt DRM EDAC evdev Kernel same-page merging (KSM) LIO Framebuffer LVM KMS driver Netfilter Netlink nftables Network scheduler perf SLUB zram zswap Process and I/O schedulers: Brain Fuck Scheduler Completely Fair Scheduler (CFS) Earliest eligible virtual deadline first (EEVDF) Noop scheduler O(n) scheduler O(1) scheduler SCHED_DEADLINE SCHED_FIFO SCHED_RR Security Modules: AppArmor Exec Shield seccomp SELinux Smack Tomoyo Linux Linux PAM Device drivers 802.11 graphics Raw device initramfs KernelCare kexec kGraft kpatch Ksplice Variants Mainline Linux kernel Linux-libre High-performance computing INK Compute Node Linux SLURM Real-time computing RTLinux RTAI Xenomai PREEMPT_RT MMU-less μClinux PSXLinux Virtualization Hypervisor KVM Xen OS-level virtualization Linux-VServer Lguest LXC OpenVZ Other L4Linux User-mode Linux MkLinux coLinux Adoption Range of use Desktop Embedded Gaming Thin client: LTSP Server: LAMP LYME-LYCE Devices Adopters List of Linux adopters Linux portal Free and open-source software portal Category --- Adapted from the Wikipedia article [Exec Shield](https://en.wikipedia.org/wiki/Exec_Shield) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Exec_Shield?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.