4.15. Protecting against buffer overflows
			Buffer overflow is the name of a common attack to software 
 which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (
setuid or 
setgid) can result in the compromise of any given system.
		
 
			There are mainly four methods to protect against buffer overflows: 
			
- 
						patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches).
					 
- 
						fix the source code by using tools to find fragments of it that might introduce this vulnerability.
					 
			Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in 
http://bugs.debian.org/213994).
		
			Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it).
		
			If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the paxtest and run the tests it provides.
		
4.15.1. Kernel patch protection for buffer overflows
				Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch, 
kernel-patch-2.4-grsecurity, and in the Adamantix patch, 
kernel-patch-adamantix). For more information on using these patches read the the section 
Section 4.14, “Adding kernel patches”.
			
4.15.2. Testing programs for overflows
				The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: bfbtester (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be rats, pscan, flawfinder and splint.