.\" $NetBSD: security.8,v 1.19 2009/05/18 14:58:14 wiz Exp $ .\" .\" Copyright (c) 2006 Elad Efrat .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. The name of the author may not be used to endorse or promote products .\" derived from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd January 26, 2009 .Dt SECURITY 8 .Os .Sh NAME .Nm security .Nd .Nx security features .Sh DESCRIPTION .Nx supports a variety of security features. Below is a brief description of them with some quick usage examples that will help you get started. .Pp Contents: .Bl -hyphen -compact .It Veriexec (file integrity) .It Exploit mitigation .It Per-user .Pa /tmp directory .It Information filtering .El .Sh VERIEXEC .Em Veriexec is a file integrity subsystem. .Pp For more information about it, and a quick guide on how to use it, please see .Xr veriexec 8 . .Pp In a nutshell, once enabled, .Em Veriexec can be started as follows: .Bd -literal -offset indent # veriexecgen \*[Am]\*[Am] veriexecctl load .Ed .Sh EXPLOIT MITIGATION .Nx incorporates some exploit mitigation features. The purpose of exploit mitigation features is to interfere with the way exploits work, in order to prevent them from succeeding. Due to that, some features may have other impact on the system, so be sure to fully understand the implications of each feature. .Pp .Nx provides the following exploit mitigation features: .Bl -hyphen -compact .It PaX ASLR (Address Space Layout Randomization) .It PaX MPROTECT .Xr ( mprotect 2 restrictions) .It PaX SegvGuard .It .Xr gcc 1 stack-smashing protection (SSP) .El .Ss PaX ASLR .Em PaX ASLR implements Address Space Layout Randomization, meant to complement non-executable mappings. Its purpose is to harden prediction of the address space layout, namely location of library and application functions that can be used by an attacker to circumvent non-executable mappings by using a technique called .Dq return to library to bypass the need to write new code to (potentially executable) regions of memory. .Pp When .Em PaX ASLR is used, it is more likely the attacker will fail to predict the addresses of such functions, causing the application to segfault. To detect cases where an attacker might try and brute-force the return address of respawning services, .Em PaX Segvguard can be used (see below). .Pp For non-PIE (Position Independent Executable) executables, the .Nx .Em PaX ASLR implementation introduces randomization to the following memory regions: .Bl -enum -compact .It The data segment .It The stack .El .Pp For PIE executables: .Bl -enum -compact .It The program itself (exec base) .It All shared libraries .It The data segment .It The stack .El .Pp While it can be enabled globally, .Nx provides a tool, .Xr paxctl 8 , to enable .Em PaX ASLR on a per-program basis. .Pp Example usage: .Bd -literal -offset indent # paxctl +A /usr/sbin/sshd .Ed .Pp Enabling .Em PaX ASLR globally: .Bd -literal -offset indent # sysctl -w security.pax.aslr.global=1 .Ed .Ss PaX MPROTECT .Em PaX MPROTECT implements memory protection restrictions, meant to complement non-executable mappings. Their purpose is to prevent situations where malicious code attempts to mark writable memory regions as executable, often by trashing arguments to an .Xr mprotect 2 call. .Pp While it can be enabled globally, .Nx provides a tool, .Xr paxctl 8 , to enable .Em PaX MPROTECT on a per-program basis. .Pp Example usage: .Bd -literal -offset indent # paxctl +M /usr/sbin/sshd .Ed .Pp Enabling .Em PaX MPROTECT globally: .Bd -literal -offset indent # sysctl -w security.pax.mprotect.global=1 .Ed .Ss PaX Segvguard .Em PaX Segvguard monitors the number of segmentation faults in a program on a per-user basis, in an attempt to detect on-going exploitation attempts and possibly prevent them. For instance, .Em PaX Segvguard can help detect when an attacker tries to brute-force a function return address, when attempting to perform a return-to-lib attack. .Pp .Em PaX Segvguard consumes kernel memory, so use it wisely. While it provides rate-limiting protections, records are tracked for all users on a per-program basis, meaning that irresponsible use may result in tracking all segmentation faults in the system, possibly consuming all kernel memory. .Pp For this reason, it is highly recommended to have .Em PaX Segvguard enabled explicitly only for network services, etc. Enabling .Em PaX Segvguard explicitly works like this: .Bd -literal -offset indent # paxctl +G /usr/sbin/sshd .Ed .Pp However, a global knob is still provided, for use in strict environments with no local users (some network appliances, embedded devices, firewalls, etc.): .Bd -literal -offset indent # sysctl -w security.pax.segvguard.global=1 .Ed .Pp Explicitly disabling .Em PaX Segvguard is also possible: .Bd -literal -offset indent # paxctl +g /bin/ls .Ed .Pp In addition, .Em PaX Segvguard provides several tunable options. For example, to limit a program to 5 segmentation faults from the same user in a 60 second timeframe: .Bd -literal -offset indent # sysctl -w security.pax.segvguard.max_crashes=5 # sysctl -w security.pax.segvguard.expiry_timeout=60 .Ed .Pp The number of seconds a user will be suspended from running the culprit program is also configurable. For example, 10 minutes seem like a sane setting: .Bd -literal -offset indent # sysctl -w security.pax.segvguard.suspend_timeout=600 .Ed .Ss GCC Stack Smashing Protection ( SSP ) As of .Nx 4.0 , .Xr gcc 1 includes .Em SSP , a set of compiler extensions to raise the bar on exploitation attempts by detecting corruption of variables and buffer overruns, which may be used to affect program control flow. .Pp Upon detection of a buffer overrun, .Em SSP will immediately abort execution of the program and send a log message to .Xr syslog 3 . .Pp The system (userland and kernel) can be built with .Em SSP by using the .Dq USE_SSP flag in .Pa /etc/mk.conf : .Bd -literal -offset indent USE_SSP=yes .Ed .Pp You are encouraged to use .Em SSP for software you build, by providing one of the .Fl fstack-protector or .Fl fstack-protector-all flags to .Xr gcc 1 . Keep in mind, however, that .Em SSP will not work for functions that make use of .Xr alloca 3 , as the latter modifies the stack size during run-time, while .Em SSP relies on it being a compile-time static. .Pp Use of .Em SSP is especially encouraged on platforms without per-page execute bit granularity such as .Em i386 . .Sh PER-USER TEMPORARY STORAGE It is possible to configure per-user temporary storage to avoid potential security issues (race conditions, etc.) in programs that do not make secure usage of .Pa /tmp . .Pp To enable per-user temporary storage, add the following line to .Xr rc.conf 5 : .Bd -literal -offset indent per_user_tmp=YES .Ed .Pp If .Pa /tmp is a mount point, you will also need to update its .Xr fstab 5 entry to use .Dq /private/tmp (or whatever directory you want, if you override the default using the .Dq per_user_tmp_dir .Xr rc.conf 5 keyword) instead of .Dq /tmp . .Pp Following that, run: .Bd -literal -offset indent # /etc/rc.d/perusertmp start .Ed .Sh INFORMATION FILTERING .Nx provides administrators the ability to restrict information passed from the kernel to userland so that users can only view information they .Dq own . .Pp The hooks that manage this restriction are located in various parts of the system and affect programs such as .Xr ps 1 , .Xr fstat 1 , and .Xr netstat 1 . Information filtering is enabled as follows: .Bd -literal -offset indent # sysctl -w security.curtain=1 .Ed .Sh SEE ALSO .Xr sysctl 3 , .Xr options 4 , .Xr paxctl 8 , .Xr sysctl 8 , .Xr veriexec 8 , .Xr veriexecctl 8 , .Xr veriexecgen 8 .Sh AUTHORS .An Elad Efrat Aq elad@NetBSD.org