Researchers investigate executable stack issues in Linux systems

The paper, titled 'Too Subtle to Notice: Investigating Executable Stack Issues in Linux Systems,' was delivered in Session 6D on Software Security: Vulnerability Detection during the Network and Distributed System Security Symposium (NDSS) 2025. Historically, code injection via buffer overflows was a common attack vector, but the adoption of write-xor-execute (W^X) protections largely prevented writable-and-executable memory, mitigating such threats.

Despite these advancements, the researchers identified recurring instances where software developers inadvertently disable W^X, restoring executable stacks in popular applications. Each case has been patched, yet the pattern persists in modern development. To explore this, Ye and Hu conducted two key investigations. First, they evaluated program-hardening tools, finding that even experienced security developers often miss critical steps to prevent executable stacks. Notably, 11 tools implemented as inlined reference monitors (IRMs) introduced executable stacks into all 'hardened' applications.

Second, the study analyzed W^X enforcement across Linux's compilation toolchain, kernel, and loader. This process demands tight coordination among multiple components, forming a complex chain of trust for stack protection. A frequent oversight occurs when developers, including security researchers, neglect the GNU-stack section in assembly code, unintentionally enabling executable stacks.

The findings outline potential attacker exploitation paths and offer mitigation recommendations to strengthen Linux security practices. NDSS, which promotes practical advancements in network and distributed system security, hosted the presentation to foster better implementation of security technologies.