Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223307

enable the Stack Execution Disable flag for JDK binaries on AIX

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P3 P3
    • 13
    • 13
    • infrastructure
    • None
    • b21
    • ppc
    • aix

      AIX supports a binary hardening option called SED, see :

      https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/stack_exec_disable.htm

      System wide configuration can be done with the sedmgr tool :

      https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.cmds5/sedmgr.htm

      The system-wide configuration supports various modes, very often "select" mode is configured where
      binaries can opt-in to use SED :

      select:
      Only a select set of files are enabled and monitored for SED protection. The select set of files are chosen by reviewing the SED related flags in the executable program binary headers.
      The executable program header enables SED related flags to request to be included in the select mode.


      We can set a linker option on AIX to configure "select" mode for the JDK binaries; our tests show that this does not "kill" the JIT (jitted code).

      changed binary shows then the opt-in flag ("request" ) :

      bash-4.4$ sedmgr -d /rs6000_64/nightly/output-jdk-test/images/jdk/bin/java
      /rs6000_64/nightly/output-jdk-test/images/jdk/bin/java : request

      while the unchanged binary does not have the flag set ("system") :

      bash-4.4$ sedmgr -d /rs6000_64/nightly/output-jdk11-test/images/jdk/bin/java
      /rs6000_64/nightly/output-jdk11-test/images/jdk/bin/java : system

            mbaesken Matthias Baesken
            mbaesken Matthias Baesken
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: