NetBSD/share/man/man8/security.8

.\" $NetBSD: security.8,v 1.13 2007/02/02 02:42:00 elad Exp $
.\"
.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd February 2, 2007
.Dt SECURITY 8
.Os
.Sh NAME
.Nm security
.Nd
.Nx
security features
.Sh DESCRIPTION
.Nx
supports a variety of security features.
Below is a brief description of them with some quick usage examples
that will help you get started.
.Pp
Contents:
.Bl -hyphen -compact
.It
Veriexec (file integrity)
.It
Exploit mitigation
.It
Information filtering
.El
.Sh VERIEXEC
.Em Veriexec
is an in-kernel, real-time, file-system independent, file integrity
subsystem.
It can be used for a variety of purposes, including defense against trojaned
binaries, indirect attacks via third-party remote file-systems, and
configuration file corruption.
.Em Veriexec
can operate in four modes, also referred to as strict levels:
.Bl -tag -width flag
.It Learning mode ( strict level 0 )
The only level at which the fingerprint tables can be modified, this level is
used to help fine-tune the signature database.
No enforcement is made, and verbose information is provided (fingerprint
matches and mismatches, file removals, incorrect access, etc.).
.It IDS mode ( strict level 1 )
IDS (intrusion detection system) mode provides an adequate level of integrity
for the files it monitors.
Implications:
.Pp
.Bl -hyphen -compact
.It
Monitored files cannot be removed
.It
If raw disk access is granted to a disk with monitored files on it, all
monitored files' fingerprints will be invalidated
.It
Access to files with mismatched fingerprints is denied
.It
Write access to monitored files is allowed
.It
Access type is not enforced
.El
.It IPS mode ( strict level 2 )
IPS (intrusion prevention system) mode provides a high level of integrity
for the files it monitors.
Implications:
.Pp
.Bl -hyphen -compact
.It
All implications of IDS mode
.It
Write access to monitored files is denied
.It
Access type is enforced
.It
Raw disk access to disk devices with monitored files on them is denied
.It
Execution of non-monitored files is denied
.It
Write access to kernel memory via
.Pa /dev/mem
and
.Pa /dev/kmem
is denied
.El
.It Lockdown mode ( strict level 3 )
Lockdown mode provides high assurance integrity for the entire system.
Implications:
.Pp
.Bl -hyphen -compact
.It
All implications of IPS mode
.It
Access to non-monitored files is denied
.It
Write access to files is allowed only if the file was opened before the
strict level was raised to this mode
.It
Creation of new files is denied
.It
Raw access to system disks is denied
.El
.El
.Pp
.Em Veriexec
requires a list of monitored files, along with their digital fingerprint and
(optionally) access modes.
.Nx
provides a tool,
.Xr veriexecgen 8 ,
for this purpose.
Example usage:
.Bd -literal -offset indent
# veriexecgen
.Ed
.Pp
.Em Veriexec
requires a pseudo-device to run:
.Bd -literal -offset indent
pseudo-device veriexec 1
.Ed
.Pp
Additionally, one or more options for digital fingerprint algorithm support:
.Bd -literal -offset indent
options VERIFIED_EXEC_FP_SHA256
options VERIFIED_EXEC_FP_SHA512
.Ed
.Pp
See your kernel's config file for an example.
.Pp
On amd64, i386, prep, and sparc64 GENERIC kernels,
.Em Veriexec
is enabled by default.
.Pp
.Em Veriexec
also requires enabling in
.Xr rc.conf 5 :
.Bd -literal -offset indent
veriexec=YES
veriexec_strict=1 # IDS mode
.Ed
.Sh EXPLOIT MITIGATION
.Nx
incorporates some exploit mitigation features, mainly from the
.Em PaX
project.
.Ss PaX MPROTECT
.Em PaX MPROTECT
implements memory protection restrictions, meant to complement non-executable
mappings.
Their purpose is to prevent situations where malicious code attempts to mark
writable memory regions as executable, often by trashing arguments to an
.Xr mprotect 2
call.
.Pp
While it can be enabled globally,
.Nx
provides a tool,
.Xr paxctl 8 ,
to enable
.Em PaX MPROTECT
on a per-program basis.
.Pp
Example usage:
.Bd -literal -offset indent
# paxctl +M /usr/sbin/sshd
.Ed
.Pp
Enabling
.Em PaX MPROTECT
globally:
.Bd -literal -offset indent
# sysctl -w security.pax.mprotect.global=1
.Ed
.Ss PaX Segvguard
.Em PaX Segvguard
monitors the number of segmentation faults in a program on a per-user basis,
in an attempt to detect on-going exploitation attempts and possibly prevent
them.
For instance,
.Em PaX Segvguard
can help detect when an attacker tries to brute-force a function
return address, when attempting to perform a return-to-lib attack.
.Pp
.Em PaX Segvguard
consumes kernel memory, so use it wisely.
While it provides rate-limiting protections, records are tracked for all
users on a per-program basis, meaning that irresponsible use may result in
tracking all segmentation faults in the system, possibly consuming all kernel
memory.
.Pp
For this reason, it is highly recommended to have
.Em PaX Segvguard
enabled explicitly only for network services, etc.
Enabling
.Em PaX Segvguard
explicitly works like this:
.Bd -literal -offset indent
# paxctl +G /usr/sbin/sshd
.Ed
.Pp
However, a global knob is still provided, for use in strict environments
with no local users (some network appliances, embedded devices, firewalls,
etc.):
.Bd -literal -offset indent
# sysctl -w security.pax.segvguard.global=1
.Ed
.Pp
Explicitly disabling
.Em PaX Segvguard
is also possible:
.Bd -literal -offset indent
# paxctl +g /bin/ls
.Ed
.Pp
In addition,
.Em PaX Segvguard
provides several tunable options.
For example, to limit a program to 5 segmentation faults from the same user in
a 60 second timeframe:
.Bd -literal -offset indent
# sysctl -w security.pax.segvguard.max_crashes=5
# sysctl -w security.pax.segvguard.expiry_timeout=60
.Ed
.Pp
The number of seconds a user will be suspended from running the culprit
program is also configurable.
For example, 10 minutes seem like a sane setting:
.Bd -literal -offset indent
# sysctl -w security.pax.segvguard.suspend_timeout=600
.Ed
.Ss GCC Stack Smashing Protection ( SSP )
As of
.Nx 4.0 ,
.Xr gcc 1
includes
.Em SSP ,
a set of compiler extensions to raise the bar on exploitation attempts by
detecting corruption of variables and buffer overruns, which may be used to
affect program control flow.
.Pp
Upon detection of a buffer overrun,
.Em SSP
will immediately abort execution of the program and send a log message
to
.Xr syslog 3 .
.Pp
The system (userland and kernel) can be built with
.Em SSP
by using the
.Dq USE_SSP
flag in
.Pa /etc/mk.conf :
.Bd -literal -offset indent
USE_SSP=yes
.Ed
.Pp
You are encouraged to use
.Em SSP
for software you build, by providing one of the
.Fl fstack-protector
or
.Fl fstack-protector-all
flags to
.Xr gcc 1 .
Keep in mind, however, that
.Em SSP
will not work for functions that make use of
.Xr alloca 3 ,
as the latter modifies the stack size during run-time, while
.Em SSP
relies on it being a compile-time static.
.Pp
Use of
.Em SSP
is especially encouraged on platforms without per-page execute bit granularity
such as
.Em i386 .
.Sh INFORMATION FILTERING
.Nx
provides administrators the ability to restrict information passed from
the kernel to userland so that users can only view information they
.Dq own .
.Pp
The hooks that manage this restriction are located in various parts of the
system and affect programs such as
.Xr ps 1 ,
.Xr fstat 1 ,
and
.Xr netstat 1 .
Information filtering is enabled as follows:
.Bd -literal -offset indent
# sysctl -w security.curtain=1
.Ed
.Sh SEE ALSO
.Xr sysctl 3 ,
.Xr options 4 ,
.Xr paxctl 8 ,
.Xr sysctl 8 ,
.Xr veriexecctl 8 ,
.Xr veriexecgen 8
.Sh AUTHORS
.An Elad Efrat Aq elad@NetBSD.org