Annotation of src/share/man/man7/security.7, Revision 1.8
1.8 ! jruoho 1: .\" $NetBSD: security.7,v 1.7 2011/03/20 13:07:38 jruoho Exp $
1.1 jruoho 2: .\"
3: .\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
4: .\" All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. The name of the author may not be used to endorse or promote products
15: .\" derived from this software without specific prior written permission.
16: .\"
17: .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18: .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19: .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20: .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21: .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23: .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24: .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25: .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26: .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27: .\"
1.8 ! jruoho 28: .Dd March 30, 2011
1.1 jruoho 29: .Dt SECURITY 7
30: .Os
31: .Sh NAME
32: .Nm security
33: .Nd
34: .Nx
35: security features
36: .Sh DESCRIPTION
37: .Nx
38: supports a variety of security features.
39: Below is a brief description of them with some quick usage examples
40: that will help you get started.
41: .Pp
42: Contents:
43: .Pp
44: .Bl -hyphen -compact -offset indent
45: .It
46: Veriexec
47: .Pq file integrity
48: .It
49: Exploit mitigation
50: .It
51: Per-user
52: .Pa /tmp
53: directory
54: .It
55: Information filtering
1.4 jruoho 56: .It
57: Administrative security
1.1 jruoho 58: .El
1.2 jruoho 59: .Ss Veriexec
1.1 jruoho 60: .Em Veriexec
61: is a file integrity subsystem.
62: .Pp
63: For more information about it, and a quick guide on how to use it, please see
64: .Xr veriexec 8 .
65: .Pp
66: In a nutshell, once enabled,
67: .Em Veriexec
68: can be started as follows:
69: .Bd -literal -offset indent
70: # veriexecgen \*[Am]\*[Am] veriexecctl load
71: .Ed
1.2 jruoho 72: .Ss Exploit mitigation
1.1 jruoho 73: .Nx
74: incorporates some exploit mitigation features.
75: The purpose of exploit mitigation features is to interfere
76: with the way exploits work, in order to prevent them from succeeding.
77: Due to that, some features may have other impacts on the system, so be sure to
78: fully understand the implications of each feature.
79: .Pp
80: .Nx
81: provides the following exploit mitigation features:
82: .Pp
83: .Bl -hyphen -compact -offset indent
84: .It
85: .Tn PaX ASLR
86: .Pq Address Space Layout Randomization .
87: .It
88: .Tn PaX MPROTECT
89: .Xr ( mprotect 2
90: restrictions)
91: .It
92: .Tn PaX SegvGuard
93: .It
94: .Xr gcc 1
95: stack-smashing protection
96: .Pq Tn SSP
97: .It
98: bounds checked libc functions
99: .Pq Tn FORTIFY_SOURCE
100: .It
101: Protections against
102: .Dv NULL
103: pointer dereferences
104: .El
105: .Ss PaX ASLR
106: .Em PaX ASLR
107: implements Address Space Layout Randomization
108: .Pq Tn ASLR ,
109: meant to complement non-executable mappings.
110: Its purpose is to harden prediction of the address space layout, namely
111: location of library and application functions that can be used by an attacker
112: to circumvent non-executable mappings by using a technique called
113: .Dq return to library
114: to bypass the need to write new code to (potentially executable) regions of
115: memory.
116: .Pp
117: When
118: .Em PaX ASLR
119: is used, it is more likely the attacker will fail to predict the addresses of
120: such functions, causing the application to segfault.
121: To detect cases where an attacker might try and brute-force the return address
122: of respawning services,
123: .Em PaX Segvguard
124: can be used (see below).
125: .Pp
126: For non-PIE
127: .Pq Position Independent Executable
128: executables, the
129: .Nx
130: .Em PaX ASLR
131: implementation introduces randomization to the following memory regions:
132: .Pp
133: .Bl -enum -compact -offset indent
134: .It
135: The data segment
136: .It
137: The stack
138: .El
139: .Pp
140: For
141: .Tn PIE
142: executables:
143: .Pp
144: .Bl -enum -compact -offset indent
145: .It
146: The program itself (exec base)
147: .It
148: All shared libraries
149: .It
150: The data segment
151: .It
152: The stack
153: .El
154: .Pp
155: While it can be enabled globally,
156: .Nx
157: provides a tool,
158: .Xr paxctl 8 ,
159: to enable
160: .Em PaX ASLR
161: on a per-program basis.
162: .Pp
163: Example usage:
164: .Bd -literal -offset indent
165: # paxctl +A /usr/sbin/sshd
166: .Ed
167: .Pp
168: Enabling
169: .Em PaX ASLR
170: globally:
171: .Bd -literal -offset indent
172: # sysctl -w security.pax.aslr.global=1
173: .Ed
174: .Ss PaX MPROTECT
175: .Em PaX MPROTECT
176: implements memory protection restrictions,
177: meant to complement non-executable mappings.
178: The purpose is to prevent situations where malicious code attempts to mark
179: writable memory regions as executable, often by trashing arguments to an
180: .Xr mprotect 2
181: call.
182: .Pp
183: While it can be enabled globally,
184: .Nx
185: provides a tool,
186: .Xr paxctl 8 ,
187: to enable
188: .Em PaX MPROTECT
189: on a per-program basis.
190: .Pp
191: Example usage:
192: .Bd -literal -offset indent
193: # paxctl +M /usr/sbin/sshd
194: .Ed
195: .Pp
196: Enabling
197: .Em PaX MPROTECT
198: globally:
199: .Bd -literal -offset indent
200: # sysctl -w security.pax.mprotect.global=1
201: .Ed
202: .Ss PaX Segvguard
203: .Em PaX Segvguard
204: monitors the number of segmentation faults in a program on a per-user basis,
205: in an attempt to detect on-going exploitation attempts and possibly prevent
206: them.
207: For instance,
208: .Em PaX Segvguard
209: can help detect when an attacker tries to brute-force a function
210: return address, when attempting to perform a return-to-lib attack.
211: .Pp
212: .Em PaX Segvguard
213: consumes kernel memory, so use it wisely.
214: While it provides rate-limiting protections, records are tracked for all
215: users on a per-program basis, meaning that irresponsible use may result in
216: tracking all segmentation faults in the system, possibly consuming all kernel
217: memory.
218: .Pp
219: For this reason, it is highly recommended to have
220: .Em PaX Segvguard
221: enabled explicitly only for network services or
222: other processes deemed as critical to system security.
223: Enabling
224: .Em PaX Segvguard
225: explicitly works like this:
226: .Bd -literal -offset indent
227: # paxctl +G /usr/sbin/sshd
228: .Ed
229: .Pp
230: However, a global knob is still provided, for use in strict environments
231: with no local users (for example, some network appliances, embedded devices,
232: and firewalls)
233: .Bd -literal -offset indent
234: # sysctl -w security.pax.segvguard.global=1
235: .Ed
236: .Pp
237: Explicitly disabling
238: .Em PaX Segvguard
239: is also possible:
240: .Bd -literal -offset indent
241: # paxctl +g /bin/ls
242: .Ed
243: .Pp
244: In addition,
245: .Em PaX Segvguard
246: provides several tunable options.
247: For example, to limit a program to 5 segmentation faults from the same user in
248: a 60 second timeframe:
249: .Bd -literal -offset indent
250: # sysctl -w security.pax.segvguard.max_crashes=5
251: # sysctl -w security.pax.segvguard.expiry_timeout=60
252: .Ed
253: .Pp
254: The number of seconds a user will be suspended from running the culprit
255: program is also configurable.
256: For example, 10 minutes seem like a sane setting:
257: .Bd -literal -offset indent
258: # sysctl -w security.pax.segvguard.suspend_timeout=600
259: .Ed
260: .Ss GCC Stack Smashing Protection ( SSP )
261: As of
262: .Nx 4.0 ,
263: .Xr gcc 1
264: includes
265: .Em SSP ,
266: a set of compiler extensions to raise the bar on exploitation attempts by
267: detecting corruption of variables and buffer overruns, which may be used to
268: affect program control flow.
269: .Pp
270: Upon detection of a buffer overrun,
271: .Em SSP
272: will immediately abort execution of the program and send a log message
273: to
274: .Xr syslog 3 .
275: .Pp
276: The system (userland and kernel) can be built with
277: .Em SSP
278: by using the
279: .Dq USE_SSP
280: flag in
281: .Pa /etc/mk.conf :
282: .Bd -literal -offset indent
283: USE_SSP=yes
284: .Ed
285: .Pp
286: You are encouraged to use
287: .Em SSP
288: for software you build, by providing one of the
289: .Fl fstack-protector
290: or
291: .Fl fstack-protector-all
292: flags to
293: .Xr gcc 1 .
294: Keep in mind, however, that
295: .Em SSP
296: will not work for functions that make use of
297: .Xr alloca 3 ,
298: as the latter modifies the stack size during run-time, while
299: .Em SSP
300: relies on it being a compile-time static.
301: .Pp
302: Use of
303: .Em SSP
304: is especially encouraged on platforms without per-page execute bit granularity
305: such as i386.
306: As of
307: .Nx 6.0 ,
308: .Em SSP
309: is used by default on i386 and amd64 architectures.
310: .Ss FORTIFY_SOURCE
311: The so-called
312: .Em FORTIFY_SOURCE
313: is a relatively simple technique to detect a subset of buffer overflows
314: before these can do damage.
315: It is integrated to
316: .Xr gcc 1
317: together with some common memory and string functions in the standard
318: C library of
319: .Nx .
320: .Pp
321: The underlying idea builds on the observation that there are cases where
322: the compiler knows the size of a buffer.
323: If a buffer overflow is suspected in a function that does little or no
324: bounds checking, either a compile time warning can be issued or a
325: safer substitute function can be used at runtime.
326: Refer to
327: .Xr ssp 3
328: for additional details.
329: .Pp
330: The
331: .Em FORTIFY_SOURCE
332: is enabled by default in some parts of the
333: .Nx
334: source tree.
335: It is also possible to explicitly enable it by defining
336: the following in
337: .Xr mk.conf 5 :
338: .Bd -literal -offset indent
339: USE_FORT=yes
340: .Ed
341: .Ss Protections against NULL pointer dereferences
342: A certain class of attacks rely on kernel bugs that dereference
343: .Dv NULL
344: pointers.
345: If user processes are allowed to map the virtual address 0 with
346: .Xr mmap 2
347: or by other means, there is a risk that code or data
348: can be injected into the kernel address space.
349: .Pp
350: In
351: .Nx
352: it is possible to restrict whether user processes are
353: allowed to make mappings at the zero address.
354: By default, address 0 mappings are restricted
355: on the i386 and amd64 architectures.
356: It is however known that some third-party programs
357: may not function properly with the restriction.
358: Such mappings can be allowed either by using the
359: .Dv USER_VA0_DISABLE_DEFAULT
1.5 jruoho 360: kernel configuration option or by changing the following variable at runtime:
1.1 jruoho 361: .Bd -literal -offset indent
362: # sysctl -w vm.user_va0_disable=0
363: .Ed
364: .Pp
365: Note that if
366: .Em securelevel
367: (see
368: .Xr secmodel_securelevel 9 )
369: is greater than zero, it is not possible to change the
370: .Xr sysctl 8
371: variable.
1.2 jruoho 372: .Ss Per-user temporary storage
1.1 jruoho 373: It is possible to configure per-user temporary storage to avoid potential
374: security issues (race conditions, etc.) in programs that do not make secure
375: usage of
376: .Pa /tmp .
377: .Pp
378: To enable per-user temporary storage, add the following line to
379: .Xr rc.conf 5 :
380: .Bd -literal -offset indent
381: per_user_tmp=YES
382: .Ed
383: .Pp
384: If
385: .Pa /tmp
386: is a mount point, you will also need to update its
387: .Xr fstab 5
388: entry to use
389: .Dq /private/tmp
390: (or whatever directory you want, if you override the default using the
391: .Dq per_user_tmp_dir
392: .Xr rc.conf 5
393: keyword) instead of
394: .Dq /tmp .
395: .Pp
396: Following that, run:
397: .Bd -literal -offset indent
398: # /etc/rc.d/perusertmp start
399: .Ed
400: .Pp
401: The per-user temporary storage is implemented by using
402: .Dq magic symlinks .
403: These are further described in
404: .Xr symlink 7 .
1.2 jruoho 405: .Ss Information filtering
1.1 jruoho 406: .Nx
407: provides administrators the ability to restrict information passed from
408: the kernel to userland so that users can only view information they
409: .Dq own .
410: .Pp
411: The hooks that manage this restriction are located in various parts of the
412: system and affect programs such as
413: .Xr ps 1 ,
414: .Xr fstat 1 ,
415: and
416: .Xr netstat 1 .
417: Information filtering is enabled as follows:
418: .Bd -literal -offset indent
419: # sysctl -w security.curtain=1
420: .Ed
1.3 jruoho 421: .Ss Administrative security
422: Also certain administrative tasks are related to security.
1.6 wiz 423: For instance, the daily maintenance script includes some basic
1.3 jruoho 424: consistency checks; see
425: .Xr security.conf 5
426: for more details.
427: In particular, it is possible to configure
428: .Nx
429: to automatically audit all third-party packages installed via
430: .Xr pkgsrc 7 .
431: To audit for any known vulnerabilities on daily basis, set the following in
432: .Fa /etc/daily.conf :
433: .Bd -literal -offset indent
434: fetch_pkg_vulnerabilities=YES
435: .Ed
1.1 jruoho 436: .Sh SEE ALSO
437: .Xr ssp 3 ,
438: .Xr options 4 ,
439: .Xr paxctl 8 ,
440: .Xr sysctl 8 ,
1.8 ! jruoho 441: .Xr veriexec 8 ,
! 442: .Xr kauth 9
! 443: .\"
! 444: .Rs
! 445: .%A Joseph Kong
! 446: .%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
! 447: .%D 2007
! 448: .%I "No Starch Press"
! 449: .Re
! 450: .\"
! 451: .Rs
! 452: .%A Enrico Perla
! 453: .%A Massimiliano Oldani
! 454: .%B "A Guide to Kernel Exploitation: Attacking the Core"
! 455: .%D 2010
! 456: .%I "Elsevier"
! 457: .Re
! 458: .\"
! 459: .Rs
! 460: .%A Erik Buchanan
! 461: .%A Ryan Roemer
! 462: .%A Hovav Shacham
! 463: .%A Stefan Savage
! 464: .%T "When Good Instructions Go Bad: \
! 465: Generalizing Return-Oriented Programming to RISC"
! 466: .%P 27-38
! 467: .%O CCS '08: Proceedings of the 15th ACM Conference \
! 468: on Computer and Communications Security
! 469: .%I ACM Press
! 470: .%D October 27-31, 2008
! 471: .%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
! 472: .Re
! 473: .\"
! 474: .Rs
! 475: .%A Sebastian Krahmer
! 476: .%T "x86-64 Buffer Overflow Exploits and \
! 477: the Borrowed Code Chunks Exploitation Technique"
! 478: .%D September 28, 2005
! 479: .%U http://www.suse.de/~krahmer/no-nx.pdf
! 480: .Re
1.1 jruoho 481: .Sh AUTHORS
1.7 jruoho 482: Many of the security features were pioneered by
483: .An Elad Efrat Aq elad@NetBSD.org .
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to security.7 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man7