
.note.GNU-stack (2010) - networked
http://en.chys.info/2010/12/note-gnu-stack/
======
userbinator
Couldn't they have just used a bit in the header to indicate this, instead of
requiring an entire section description (despite it being empty)? I believe
there are some unused bits in ELF headers.

I do RE so I've inspected many binaries, and my impression is that the amount
of "GNU promotion", for lack of a better word, in ELFs seems much higher than
what Windows' toolchains will do for PEs. "GNU-stack" is entirely non-
descriptive; something like "NXstack" would make more sense to me. There are
also lots of sections (even in a linked, executable binary), lots of text
auxillary information that isn't used (but can offer thumbprinting/forensic
opportunities --- or risks, depending on your perspective), and overall
_why!?_ design decisions like this one. Maybe it's just my bias because I
started with PE, but I'm of the opinion that it's more straightforward than
ELF --- especially some features like dynamic linking.

~~~
geofft
"GNU" is a vendor prefix, not advertising. If you look at Solaris binaries,
you'll see a lot of "SUNW". (And you'll occasionally see "SUNW" on GNU
binaries for things that they adopted from Sun.)

The ELF standard (which GNU does not control, as 'sveiss said) says this is
what a note section is for:

 _" Sometimes a vendor or system builder needs to mark an object file with
special information that other programs will check for conformance,
compatibility, etc. Sections of type SHT_NOTE and program header elements of
type PT_NOTE can be used for this purpose. [...] There is no formal mechanism
for avoiding name conflicts. By convention, vendors use their own name, such
as 'XYZ Computer Company,' as the identifier."_

(If you want to argue that they should have named it ".note.GNU-noexecstack",
I wouldn't disagree.)

~~~
DSMan195276
> (If you want to argue that they should have named it ".note.GNU-
> noexecstack", I wouldn't disagree.)

The presence of that alone won't make the stack noexec, the status of the
stack is determined by whether or not the `executable` flag is set on that
section. So calling it the `stack` makes sense, since it in-effect just
represents the stack itself, which isn't normally mentioned in the ELF binary.

------
to3m
Another note about .note.GNU-stack, from Ian Lance Tayler:
[http://www.airs.com/blog/archives/518](http://www.airs.com/blog/archives/518)

He has a 20-part series on linkers that may also be of interest, though I
suppose since they were written some of the details may have changed:

Part 1:
[http://www.airs.com/blog/archives/38](http://www.airs.com/blog/archives/38) ;
Part 2:
[http://www.airs.com/blog/archives/39](http://www.airs.com/blog/archives/39) ;
Part 3:
[http://www.airs.com/blog/archives/40](http://www.airs.com/blog/archives/40) ;
Part 4:
[http://www.airs.com/blog/archives/41](http://www.airs.com/blog/archives/41) ;
Part 5:
[http://www.airs.com/blog/archives/42](http://www.airs.com/blog/archives/42) ;
Part 6:
[http://www.airs.com/blog/archives/43](http://www.airs.com/blog/archives/43) ;
Part 7:
[http://www.airs.com/blog/archives/44](http://www.airs.com/blog/archives/44) ;
Part 8:
[http://www.airs.com/blog/archives/45](http://www.airs.com/blog/archives/45) ;
Part 9:
[http://www.airs.com/blog/archives/46](http://www.airs.com/blog/archives/46) ;
Part 10:
[http://www.airs.com/blog/archives/47](http://www.airs.com/blog/archives/47) ;
Part 11:
[http://www.airs.com/blog/archives/48](http://www.airs.com/blog/archives/48) ;
Part 12:
[http://www.airs.com/blog/archives/49](http://www.airs.com/blog/archives/49) ;
Part 13:
[http://www.airs.com/blog/archives/50](http://www.airs.com/blog/archives/50) ;
Part 14:
[http://www.airs.com/blog/archives/51](http://www.airs.com/blog/archives/51) ;
Part 15:
[http://www.airs.com/blog/archives/52](http://www.airs.com/blog/archives/52) ;
Part 16:
[http://www.airs.com/blog/archives/53](http://www.airs.com/blog/archives/53) ;
Part 17:
[http://www.airs.com/blog/archives/54](http://www.airs.com/blog/archives/54) ;
Part 18:
[http://www.airs.com/blog/archives/55](http://www.airs.com/blog/archives/55) ;
Part 19:
[http://www.airs.com/blog/archives/56](http://www.airs.com/blog/archives/56) ;
Part 20:
[http://www.airs.com/blog/archives/57](http://www.airs.com/blog/archives/57)

------
jwilk
It's 503 for me, so here's an archived copy:
[https://archive.is/VchZA](https://archive.is/VchZA)

