The first Exec Shield patch attempts to flag data memory as non-executable and program memory as non-writeable. This suppresses many security exploits, such as those stemming from buffer overflows and other techniques relying on overwriting data and inserting code into those structures. Exec Shield also supplies some address space layout randomization for the mmap() and heap base.
The patch additionally increases the difficulty of inserting and executing shellcode, rendering most exploits ineffective. No application recompilation is necessary to fully utilize exec-shield, although some applications (Mono, Wine, XEmacs) are not fully compatible.
Other features that came out of the Exec Shield project were the so-called Position Independent Executables (PIE), the address space randomization patch for Linux kernels, a wide set of glibc internal security checks that make heap and format string exploits near impossible, the GCC Fortify Source feature, and the port and merge of the GCC stack-protector feature.
As of August, 2004, nothing from the Exec Shield projects attempt to enforce memory protections by restricting mprotect() on any architecture; although memory may not initially be executable, it may become executable later, so the kernel will allow an application to mark memory pages as both writable and executable at the same time. However, in cooperation with the Security Enhanced Linux project (SELinux), the standard policy for the Fedora Core distribution does prohibit this behavior for most executables, with only a few exceptions for compatibility reasons.