[BACK]Return to security.7 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / share / man / man7

Annotation of src/share/man/man7/security.7, Revision 1.11

1.11    ! riastrad    1: .\" $NetBSD: security.7,v 1.9.4.1 2013/07/23 21:07:32 riastradh Exp $
1.1       jruoho      2: .\"
                      3: .\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
                      4: .\" All rights reserved.
                      5: .\"
                      6: .\" Redistribution and use in source and binary forms, with or without
                      7: .\" modification, are permitted provided that the following conditions
                      8: .\" are met:
                      9: .\" 1. Redistributions of source code must retain the above copyright
                     10: .\"    notice, this list of conditions and the following disclaimer.
                     11: .\" 2. Redistributions in binary form must reproduce the above copyright
                     12: .\"    notice, this list of conditions and the following disclaimer in the
                     13: .\"    documentation and/or other materials provided with the distribution.
                     14: .\" 3. The name of the author may not be used to endorse or promote products
                     15: .\"    derived from this software without specific prior written permission.
                     16: .\"
                     17: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     18: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     19: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     20: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     21: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     22: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     23: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     24: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     25: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     26: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     27: .\"
1.8       jruoho     28: .Dd March 30, 2011
1.1       jruoho     29: .Dt SECURITY 7
                     30: .Os
                     31: .Sh NAME
                     32: .Nm security
                     33: .Nd
                     34: .Nx
                     35: security features
                     36: .Sh DESCRIPTION
                     37: .Nx
                     38: supports a variety of security features.
                     39: Below is a brief description of them with some quick usage examples
                     40: that will help you get started.
                     41: .Pp
                     42: Contents:
                     43: .Pp
                     44: .Bl -hyphen -compact -offset indent
                     45: .It
                     46: Veriexec
                     47: .Pq file integrity
                     48: .It
                     49: Exploit mitigation
                     50: .It
                     51: Per-user
                     52: .Pa /tmp
                     53: directory
                     54: .It
                     55: Information filtering
1.4       jruoho     56: .It
                     57: Administrative security
1.1       jruoho     58: .El
1.2       jruoho     59: .Ss Veriexec
1.1       jruoho     60: .Em Veriexec
                     61: is a file integrity subsystem.
                     62: .Pp
                     63: For more information about it, and a quick guide on how to use it, please see
                     64: .Xr veriexec 8 .
                     65: .Pp
                     66: In a nutshell, once enabled,
                     67: .Em Veriexec
                     68: can be started as follows:
                     69: .Bd -literal -offset indent
                     70: # veriexecgen \*[Am]\*[Am] veriexecctl load
                     71: .Ed
1.2       jruoho     72: .Ss Exploit mitigation
1.1       jruoho     73: .Nx
                     74: incorporates some exploit mitigation features.
                     75: The purpose of exploit mitigation features is to interfere
                     76: with the way exploits work, in order to prevent them from succeeding.
                     77: Due to that, some features may have other impacts on the system, so be sure to
                     78: fully understand the implications of each feature.
                     79: .Pp
                     80: .Nx
                     81: provides the following exploit mitigation features:
                     82: .Pp
                     83: .Bl -hyphen -compact -offset indent
                     84: .It
                     85: .Tn PaX ASLR
                     86: .Pq Address Space Layout Randomization .
                     87: .It
                     88: .Tn PaX MPROTECT
                     89: .Xr ( mprotect 2
                     90: restrictions)
                     91: .It
                     92: .Tn PaX SegvGuard
                     93: .It
                     94: .Xr gcc 1
                     95: stack-smashing protection
                     96: .Pq Tn SSP
                     97: .It
                     98: bounds checked libc functions
                     99: .Pq Tn FORTIFY_SOURCE
                    100: .It
                    101: Protections against
                    102: .Dv NULL
                    103: pointer dereferences
                    104: .El
                    105: .Ss PaX ASLR
                    106: .Em PaX ASLR
                    107: implements Address Space Layout Randomization
                    108: .Pq Tn ASLR ,
                    109: meant to complement non-executable mappings.
                    110: Its purpose is to harden prediction of the address space layout, namely
                    111: location of library and application functions that can be used by an attacker
                    112: to circumvent non-executable mappings by using a technique called
                    113: .Dq return to library
                    114: to bypass the need to write new code to (potentially executable) regions of
                    115: memory.
                    116: .Pp
                    117: When
                    118: .Em PaX ASLR
                    119: is used, it is more likely the attacker will fail to predict the addresses of
                    120: such functions, causing the application to segfault.
                    121: To detect cases where an attacker might try and brute-force the return address
                    122: of respawning services,
                    123: .Em PaX Segvguard
                    124: can be used (see below).
                    125: .Pp
                    126: For non-PIE
                    127: .Pq Position Independent Executable
                    128: executables, the
                    129: .Nx
                    130: .Em PaX ASLR
                    131: implementation introduces randomization to the following memory regions:
                    132: .Pp
                    133: .Bl -enum -compact -offset indent
                    134: .It
                    135: The data segment
                    136: .It
                    137: The stack
                    138: .El
                    139: .Pp
                    140: For
                    141: .Tn PIE
                    142: executables:
                    143: .Pp
                    144: .Bl -enum -compact -offset indent
                    145: .It
                    146: The program itself (exec base)
                    147: .It
                    148: All shared libraries
                    149: .It
                    150: The data segment
                    151: .It
                    152: The stack
                    153: .El
                    154: .Pp
                    155: While it can be enabled globally,
                    156: .Nx
                    157: provides a tool,
                    158: .Xr paxctl 8 ,
                    159: to enable
                    160: .Em PaX ASLR
                    161: on a per-program basis.
                    162: .Pp
                    163: Example usage:
                    164: .Bd -literal -offset indent
                    165: # paxctl +A /usr/sbin/sshd
                    166: .Ed
                    167: .Pp
                    168: Enabling
                    169: .Em PaX ASLR
                    170: globally:
                    171: .Bd -literal -offset indent
                    172: # sysctl -w security.pax.aslr.global=1
                    173: .Ed
                    174: .Ss PaX MPROTECT
                    175: .Em PaX MPROTECT
                    176: implements memory protection restrictions,
                    177: meant to complement non-executable mappings.
                    178: The purpose is to prevent situations where malicious code attempts to mark
                    179: writable memory regions as executable, often by trashing arguments to an
                    180: .Xr mprotect 2
                    181: call.
                    182: .Pp
                    183: While it can be enabled globally,
                    184: .Nx
                    185: provides a tool,
                    186: .Xr paxctl 8 ,
                    187: to enable
                    188: .Em PaX MPROTECT
                    189: on a per-program basis.
                    190: .Pp
                    191: Example usage:
                    192: .Bd -literal -offset indent
                    193: # paxctl +M /usr/sbin/sshd
                    194: .Ed
                    195: .Pp
                    196: Enabling
                    197: .Em PaX MPROTECT
                    198: globally:
                    199: .Bd -literal -offset indent
                    200: # sysctl -w security.pax.mprotect.global=1
                    201: .Ed
                    202: .Ss PaX Segvguard
                    203: .Em PaX Segvguard
                    204: monitors the number of segmentation faults in a program on a per-user basis,
                    205: in an attempt to detect on-going exploitation attempts and possibly prevent
                    206: them.
                    207: For instance,
                    208: .Em PaX Segvguard
                    209: can help detect when an attacker tries to brute-force a function
                    210: return address, when attempting to perform a return-to-lib attack.
                    211: .Pp
                    212: .Em PaX Segvguard
                    213: consumes kernel memory, so use it wisely.
                    214: While it provides rate-limiting protections, records are tracked for all
                    215: users on a per-program basis, meaning that irresponsible use may result in
                    216: tracking all segmentation faults in the system, possibly consuming all kernel
                    217: memory.
                    218: .Pp
                    219: For this reason, it is highly recommended to have
                    220: .Em PaX Segvguard
                    221: enabled explicitly only for network services or
                    222: other processes deemed as critical to system security.
                    223: Enabling
                    224: .Em PaX Segvguard
                    225: explicitly works like this:
                    226: .Bd -literal -offset indent
                    227: # paxctl +G /usr/sbin/sshd
                    228: .Ed
                    229: .Pp
                    230: However, a global knob is still provided, for use in strict environments
                    231: with no local users (for example, some network appliances, embedded devices,
                    232: and firewalls)
                    233: .Bd -literal -offset indent
                    234: # sysctl -w security.pax.segvguard.global=1
                    235: .Ed
                    236: .Pp
                    237: Explicitly disabling
                    238: .Em PaX Segvguard
                    239: is also possible:
                    240: .Bd -literal -offset indent
                    241: # paxctl +g /bin/ls
                    242: .Ed
                    243: .Pp
                    244: In addition,
                    245: .Em PaX Segvguard
                    246: provides several tunable options.
                    247: For example, to limit a program to 5 segmentation faults from the same user in
                    248: a 60 second timeframe:
                    249: .Bd -literal -offset indent
                    250: # sysctl -w security.pax.segvguard.max_crashes=5
                    251: # sysctl -w security.pax.segvguard.expiry_timeout=60
                    252: .Ed
                    253: .Pp
                    254: The number of seconds a user will be suspended from running the culprit
                    255: program is also configurable.
                    256: For example, 10 minutes seem like a sane setting:
                    257: .Bd -literal -offset indent
                    258: # sysctl -w security.pax.segvguard.suspend_timeout=600
                    259: .Ed
                    260: .Ss GCC Stack Smashing Protection ( SSP )
                    261: As of
                    262: .Nx 4.0 ,
                    263: .Xr gcc 1
                    264: includes
                    265: .Em SSP ,
                    266: a set of compiler extensions to raise the bar on exploitation attempts by
                    267: detecting corruption of variables and buffer overruns, which may be used to
                    268: affect program control flow.
                    269: .Pp
                    270: Upon detection of a buffer overrun,
                    271: .Em SSP
                    272: will immediately abort execution of the program and send a log message
                    273: to
                    274: .Xr syslog 3 .
                    275: .Pp
                    276: The system (userland and kernel) can be built with
                    277: .Em SSP
                    278: by using the
                    279: .Dq USE_SSP
                    280: flag in
                    281: .Pa /etc/mk.conf :
                    282: .Bd -literal -offset indent
                    283: USE_SSP=yes
                    284: .Ed
                    285: .Pp
                    286: You are encouraged to use
                    287: .Em SSP
                    288: for software you build, by providing one of the
                    289: .Fl fstack-protector
                    290: or
                    291: .Fl fstack-protector-all
                    292: flags to
                    293: .Xr gcc 1 .
                    294: Keep in mind, however, that
                    295: .Em SSP
                    296: will not work for functions that make use of
                    297: .Xr alloca 3 ,
                    298: as the latter modifies the stack size during run-time, while
                    299: .Em SSP
                    300: relies on it being a compile-time static.
                    301: .Pp
                    302: Use of
                    303: .Em SSP
                    304: is especially encouraged on platforms without per-page execute bit granularity
                    305: such as i386.
                    306: As of
                    307: .Nx 6.0 ,
                    308: .Em SSP
                    309: is used by default on i386 and amd64 architectures.
                    310: .Ss FORTIFY_SOURCE
                    311: The so-called
                    312: .Em FORTIFY_SOURCE
                    313: is a relatively simple technique to detect a subset of buffer overflows
                    314: before these can do damage.
                    315: It is integrated to
                    316: .Xr gcc 1
                    317: together with some common memory and string functions in the standard
                    318: C library of
                    319: .Nx .
                    320: .Pp
                    321: The underlying idea builds on the observation that there are cases where
                    322: the compiler knows the size of a buffer.
                    323: If a buffer overflow is suspected in a function that does little or no
                    324: bounds checking, either a compile time warning can be issued or a
                    325: safer substitute function can be used at runtime.
                    326: Refer to
                    327: .Xr ssp 3
                    328: for additional details.
                    329: .Pp
                    330: The
                    331: .Em FORTIFY_SOURCE
                    332: is enabled by default in some parts of the
                    333: .Nx
                    334: source tree.
                    335: It is also possible to explicitly enable it by defining
                    336: the following in
                    337: .Xr mk.conf 5 :
                    338: .Bd -literal -offset indent
                    339: USE_FORT=yes
                    340: .Ed
                    341: .Ss Protections against NULL pointer dereferences
                    342: A certain class of attacks rely on kernel bugs that dereference
                    343: .Dv NULL
                    344: pointers.
                    345: If user processes are allowed to map the virtual address 0 with
                    346: .Xr mmap 2
                    347: or by other means, there is a risk that code or data
                    348: can be injected into the kernel address space.
                    349: .Pp
                    350: In
                    351: .Nx
                    352: it is possible to restrict whether user processes are
                    353: allowed to make mappings at the zero address.
                    354: By default, address 0 mappings are restricted
                    355: on the i386 and amd64 architectures.
                    356: It is however known that some third-party programs
                    357: may not function properly with the restriction.
                    358: Such mappings can be allowed either by using the
                    359: .Dv USER_VA0_DISABLE_DEFAULT
1.5       jruoho    360: kernel configuration option or by changing the following variable at runtime:
1.1       jruoho    361: .Bd -literal -offset indent
                    362: # sysctl -w vm.user_va0_disable=0
                    363: .Ed
                    364: .Pp
                    365: Note that if
                    366: .Em securelevel
                    367: (see
                    368: .Xr secmodel_securelevel 9 )
                    369: is greater than zero, it is not possible to change the
                    370: .Xr sysctl 8
                    371: variable.
1.2       jruoho    372: .Ss Per-user temporary storage
1.1       jruoho    373: It is possible to configure per-user temporary storage to avoid potential
                    374: security issues (race conditions, etc.) in programs that do not make secure
                    375: usage of
                    376: .Pa /tmp .
                    377: .Pp
                    378: To enable per-user temporary storage, add the following line to
                    379: .Xr rc.conf 5 :
                    380: .Bd -literal -offset indent
                    381: per_user_tmp=YES
                    382: .Ed
                    383: .Pp
                    384: If
                    385: .Pa /tmp
                    386: is a mount point, you will also need to update its
                    387: .Xr fstab 5
                    388: entry to use
                    389: .Dq /private/tmp
                    390: (or whatever directory you want, if you override the default using the
                    391: .Dq per_user_tmp_dir
                    392: .Xr rc.conf 5
                    393: keyword) instead of
                    394: .Dq /tmp .
                    395: .Pp
                    396: Following that, run:
                    397: .Bd -literal -offset indent
                    398: # /etc/rc.d/perusertmp start
                    399: .Ed
                    400: .Pp
                    401: The per-user temporary storage is implemented by using
                    402: .Dq magic symlinks .
                    403: These are further described in
                    404: .Xr symlink 7 .
1.2       jruoho    405: .Ss Information filtering
1.1       jruoho    406: .Nx
                    407: provides administrators the ability to restrict information passed from
                    408: the kernel to userland so that users can only view information they
                    409: .Dq own .
                    410: .Pp
                    411: The hooks that manage this restriction are located in various parts of the
                    412: system and affect programs such as
                    413: .Xr ps 1 ,
                    414: .Xr fstat 1 ,
                    415: and
                    416: .Xr netstat 1 .
                    417: Information filtering is enabled as follows:
                    418: .Bd -literal -offset indent
                    419: # sysctl -w security.curtain=1
                    420: .Ed
1.3       jruoho    421: .Ss Administrative security
                    422: Also certain administrative tasks are related to security.
1.6       wiz       423: For instance, the daily maintenance script includes some basic
1.3       jruoho    424: consistency checks; see
                    425: .Xr security.conf 5
                    426: for more details.
                    427: In particular, it is possible to configure
                    428: .Nx
                    429: to automatically audit all third-party packages installed via
                    430: .Xr pkgsrc 7 .
                    431: To audit for any known vulnerabilities on daily basis, set the following in
1.9       njoly     432: .Pa /etc/daily.conf :
1.3       jruoho    433: .Bd -literal -offset indent
                    434: fetch_pkg_vulnerabilities=YES
                    435: .Ed
1.1       jruoho    436: .Sh SEE ALSO
                    437: .Xr ssp 3 ,
                    438: .Xr options 4 ,
                    439: .Xr paxctl 8 ,
                    440: .Xr sysctl 8 ,
1.8       jruoho    441: .Xr veriexec 8 ,
                    442: .Xr kauth 9
                    443: .\"
                    444: .Rs
                    445: .%A Joseph Kong
                    446: .%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
                    447: .%D 2007
                    448: .%I "No Starch Press"
                    449: .Re
                    450: .\"
                    451: .Rs
                    452: .%A Enrico Perla
                    453: .%A Massimiliano Oldani
                    454: .%B "A Guide to Kernel Exploitation: Attacking the Core"
                    455: .%D 2010
                    456: .%I "Elsevier"
                    457: .Re
                    458: .\"
                    459: .Rs
                    460: .%A Erik Buchanan
                    461: .%A Ryan Roemer
                    462: .%A Hovav Shacham
                    463: .%A Stefan Savage
                    464: .%T "When Good Instructions Go Bad: \
                    465: Generalizing Return-Oriented Programming to RISC"
                    466: .%P 27-38
                    467: .%O CCS '08: Proceedings of the 15th ACM Conference \
                    468: on Computer and Communications Security
                    469: .%I ACM Press
                    470: .%D October 27-31, 2008
                    471: .%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
                    472: .Re
                    473: .\"
                    474: .Rs
                    475: .%A Sebastian Krahmer
                    476: .%T "x86-64 Buffer Overflow Exploits and \
                    477: the Borrowed Code Chunks Exploitation Technique"
                    478: .%D September 28, 2005
                    479: .%U http://www.suse.de/~krahmer/no-nx.pdf
                    480: .Re
1.1       jruoho    481: .Sh AUTHORS
1.7       jruoho    482: Many of the security features were pioneered by
1.10      wiz       483: .An Elad Efrat Aq Mt elad@NetBSD.org .

CVSweb <webmaster@jp.NetBSD.org>