1.\" $NetBSD: security.7,v 1.13 2015/06/14 16:56:36 christos Exp $ 2.\" 3.\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd June 14, 2015 29.Dt SECURITY 7 30.Os 31.Sh NAME 32.Nm security 33.Nd 34.Nx 35security features 36.Sh DESCRIPTION 37.Nx 38supports a variety of security features. 39Below is a brief description of them with some quick usage examples 40that will help you get started. 41.Pp 42Contents: 43.Pp 44.Bl -hyphen -compact -offset indent 45.It 46Veriexec 47.Pq file integrity 48.It 49Exploit mitigation 50.It 51Per-user 52.Pa /tmp 53directory 54.It 55Information filtering 56.It 57Administrative security 58.El 59.Ss Veriexec 60.Em Veriexec 61is a file integrity subsystem. 62.Pp 63For more information about it, and a quick guide on how to use it, please see 64.Xr veriexec 8 . 65.Pp 66In a nutshell, once enabled, 67.Em Veriexec 68can be started as follows: 69.Bd -literal -offset indent 70# veriexecgen \*[Am]\*[Am] veriexecctl load 71.Ed 72.Ss Exploit mitigation 73.Nx 74incorporates some exploit mitigation features. 75The purpose of exploit mitigation features is to interfere 76with the way exploits work, in order to prevent them from succeeding. 77Due to that, some features may have other impacts on the system, so be sure to 78fully understand the implications of each feature. 79.Pp 80.Nx 81provides the following exploit mitigation features: 82.Pp 83.Bl -hyphen -compact -offset indent 84.It 85.Tn PaX ASLR 86.Pq Address Space Layout Randomization . 87.It 88.Tn PaX MPROTECT 89.Xr ( mprotect 2 90restrictions) 91.It 92.Tn PaX SegvGuard 93.It 94.Xr gcc 1 95stack-smashing protection 96.Pq Tn SSP 97.It 98bounds checked libc functions 99.Pq Tn FORTIFY_SOURCE 100.It 101Protections against 102.Dv NULL 103pointer dereferences 104.El 105.Ss PaX ASLR 106.Em PaX ASLR 107implements Address Space Layout Randomization 108.Pq Tn ASLR , 109meant to complement non-executable mappings. 110Its purpose is to harden prediction of the address space layout, namely 111location of library and application functions that can be used by an attacker 112to circumvent non-executable mappings by using a technique called 113.Dq return to library 114to bypass the need to write new code to (potentially executable) regions of 115memory. 116.Pp 117When 118.Em PaX ASLR 119is used, it is more likely the attacker will fail to predict the addresses of 120such functions, causing the application to segfault. 121To detect cases where an attacker might try and brute-force the return address 122of respawning services, 123.Em PaX Segvguard 124can be used (see below). 125.Pp 126For non-PIE 127.Pq Position Independent Executable 128executables, the 129.Nx 130.Em PaX ASLR 131implementation introduces randomization to the following memory regions: 132.Pp 133.Bl -enum -compact -offset indent 134.It 135The stack 136.El 137.Pp 138For 139.Tn PIE 140executables: 141.Pp 142.Bl -enum -compact -offset indent 143.It 144The program itself (exec base) 145.It 146All shared libraries 147.It 148The data segment 149.It 150The stack 151.El 152.Pp 153While it can be enabled globally, 154.Nx 155provides a tool, 156.Xr paxctl 8 , 157to enable 158.Em PaX ASLR 159on a per-program basis. 160.Pp 161Example usage: 162.Bd -literal -offset indent 163# paxctl +A /usr/sbin/sshd 164.Ed 165.Pp 166Enabling 167.Em PaX ASLR 168globally: 169.Bd -literal -offset indent 170# sysctl -w security.pax.aslr.global=1 171.Ed 172.Ss PaX MPROTECT 173.Em PaX MPROTECT 174implements memory protection restrictions, 175meant to complement non-executable mappings. 176The purpose is to prevent situations where malicious code attempts to mark 177writable memory regions as executable, often by trashing arguments to an 178.Xr mprotect 2 179call. 180.Pp 181While it can be enabled globally, 182.Nx 183provides a tool, 184.Xr paxctl 8 , 185to enable 186.Em PaX MPROTECT 187on a per-program basis. 188.Pp 189Example usage: 190.Bd -literal -offset indent 191# paxctl +M /usr/sbin/sshd 192.Ed 193.Pp 194Enabling 195.Em PaX MPROTECT 196globally: 197.Bd -literal -offset indent 198# sysctl -w security.pax.mprotect.global=1 199.Ed 200.Ss PaX Segvguard 201.Em PaX Segvguard 202monitors the number of segmentation faults in a program on a per-user basis, 203in an attempt to detect on-going exploitation attempts and possibly prevent 204them. 205For instance, 206.Em PaX Segvguard 207can help detect when an attacker tries to brute-force a function 208return address, when attempting to perform a return-to-lib attack. 209.Pp 210.Em PaX Segvguard 211consumes kernel memory, so use it wisely. 212While it provides rate-limiting protections, records are tracked for all 213users on a per-program basis, meaning that irresponsible use may result in 214tracking all segmentation faults in the system, possibly consuming all kernel 215memory. 216.Pp 217For this reason, it is highly recommended to have 218.Em PaX Segvguard 219enabled explicitly only for network services or 220other processes deemed as critical to system security. 221Enabling 222.Em PaX Segvguard 223explicitly works like this: 224.Bd -literal -offset indent 225# paxctl +G /usr/sbin/sshd 226.Ed 227.Pp 228However, a global knob is still provided, for use in strict environments 229with no local users (for example, some network appliances, embedded devices, 230and firewalls) 231.Bd -literal -offset indent 232# sysctl -w security.pax.segvguard.global=1 233.Ed 234.Pp 235Explicitly disabling 236.Em PaX Segvguard 237is also possible: 238.Bd -literal -offset indent 239# paxctl +g /bin/ls 240.Ed 241.Pp 242In addition, 243.Em PaX Segvguard 244provides several tunable options. 245For example, to limit a program to 5 segmentation faults from the same user in 246a 60 second timeframe: 247.Bd -literal -offset indent 248# sysctl -w security.pax.segvguard.max_crashes=5 249# sysctl -w security.pax.segvguard.expiry_timeout=60 250.Ed 251.Pp 252The number of seconds a user will be suspended from running the culprit 253program is also configurable. 254For example, 10 minutes seem like a sane setting: 255.Bd -literal -offset indent 256# sysctl -w security.pax.segvguard.suspend_timeout=600 257.Ed 258.Ss GCC Stack Smashing Protection ( SSP ) 259As of 260.Nx 4.0 , 261.Xr gcc 1 262includes 263.Em SSP , 264a set of compiler extensions to raise the bar on exploitation attempts by 265detecting corruption of variables and buffer overruns, which may be used to 266affect program control flow. 267.Pp 268Upon detection of a buffer overrun, 269.Em SSP 270will immediately abort execution of the program and send a log message 271to 272.Xr syslog 3 . 273.Pp 274The system (userland and kernel) can be built with 275.Em SSP 276by using the 277.Dq USE_SSP 278flag in 279.Pa /etc/mk.conf : 280.Bd -literal -offset indent 281USE_SSP=yes 282.Ed 283.Pp 284You are encouraged to use 285.Em SSP 286for software you build, by providing one of the 287.Fl fstack-protector 288or 289.Fl fstack-protector-all 290flags to 291.Xr gcc 1 . 292Keep in mind, however, that 293.Em SSP 294will not work for functions that make use of 295.Xr alloca 3 , 296as the latter modifies the stack size during run-time, while 297.Em SSP 298relies on it being a compile-time static. 299.Pp 300Use of 301.Em SSP 302is especially encouraged on platforms without per-page execute bit granularity 303such as i386. 304As of 305.Nx 6.0 , 306.Em SSP 307is used by default on i386 and amd64 architectures. 308.Ss FORTIFY_SOURCE 309The so-called 310.Em FORTIFY_SOURCE 311is a relatively simple technique to detect a subset of buffer overflows 312before these can do damage. 313It is integrated to 314.Xr gcc 1 315together with some common memory and string functions in the standard 316C library of 317.Nx . 318.Pp 319The underlying idea builds on the observation that there are cases where 320the compiler knows the size of a buffer. 321If a buffer overflow is suspected in a function that does little or no 322bounds checking, either a compile time warning can be issued or a 323safer substitute function can be used at runtime. 324Refer to 325.Xr ssp 3 326for additional details. 327.Pp 328The 329.Em FORTIFY_SOURCE 330is enabled by default in some parts of the 331.Nx 332source tree. 333It is also possible to explicitly enable it by defining 334the following in 335.Xr mk.conf 5 : 336.Bd -literal -offset indent 337USE_FORT=yes 338.Ed 339.Ss Protections against NULL pointer dereferences 340A certain class of attacks rely on kernel bugs that dereference 341.Dv NULL 342pointers. 343If user processes are allowed to map the virtual address 0 with 344.Xr mmap 2 345or by other means, there is a risk that code or data 346can be injected into the kernel address space. 347.Pp 348In 349.Nx 350it is possible to restrict whether user processes are 351allowed to make mappings at the zero address. 352By default, address 0 mappings are restricted on all architectures. 353It is however known that some third-party programs 354may not function properly with the restriction. 355Such mappings can be allowed either by using the 356.Dv USER_VA0_DISABLE_DEFAULT 357kernel configuration option or by changing the following variable at runtime: 358.Bd -literal -offset indent 359# sysctl -w vm.user_va0_disable=0 360.Ed 361.Pp 362Note that if 363.Em securelevel 364(see 365.Xr secmodel_securelevel 9 ) 366is greater than zero, it is not possible to change the 367.Xr sysctl 8 368variable. 369.Ss Per-user temporary storage 370It is possible to configure per-user temporary storage to avoid potential 371security issues (race conditions, etc.) in programs that do not make secure 372usage of 373.Pa /tmp . 374.Pp 375To enable per-user temporary storage, add the following line to 376.Xr rc.conf 5 : 377.Bd -literal -offset indent 378per_user_tmp=YES 379.Ed 380.Pp 381If 382.Pa /tmp 383is a mount point, you will also need to update its 384.Xr fstab 5 385entry to use 386.Dq /private/tmp 387(or whatever directory you want, if you override the default using the 388.Dq per_user_tmp_dir 389.Xr rc.conf 5 390keyword) instead of 391.Dq /tmp . 392.Pp 393Following that, run: 394.Bd -literal -offset indent 395# /etc/rc.d/perusertmp start 396.Ed 397.Pp 398The per-user temporary storage is implemented by using 399.Dq magic symlinks . 400These are further described in 401.Xr symlink 7 . 402.Ss Information filtering 403.Nx 404provides administrators the ability to restrict information passed from 405the kernel to userland so that users can only view information they 406.Dq own . 407.Pp 408The hooks that manage this restriction are located in various parts of the 409system and affect programs such as 410.Xr ps 1 , 411.Xr fstat 1 , 412and 413.Xr netstat 1 . 414Information filtering is enabled as follows: 415.Bd -literal -offset indent 416# sysctl -w security.curtain=1 417.Ed 418.Ss Administrative security 419Also certain administrative tasks are related to security. 420For instance, the daily maintenance script includes some basic 421consistency checks; see 422.Xr security.conf 5 423for more details. 424In particular, it is possible to configure 425.Nx 426to automatically audit all third-party packages installed via 427.Xr pkgsrc 7 . 428To audit for any known vulnerabilities on daily basis, set the following in 429.Pa /etc/daily.conf : 430.Bd -literal -offset indent 431fetch_pkg_vulnerabilities=YES 432.Ed 433.Sh SEE ALSO 434.Xr ssp 3 , 435.Xr options 4 , 436.Xr paxctl 8 , 437.Xr sysctl 8 , 438.Xr veriexec 8 , 439.Xr kauth 9 440.\" 441.Rs 442.%A Joseph Kong 443.%B "Designing BSD Rootkits: An Introduction to Kernel Hacking" 444.%D 2007 445.%I "No Starch Press" 446.Re 447.\" 448.Rs 449.%A Enrico Perla 450.%A Massimiliano Oldani 451.%B "A Guide to Kernel Exploitation: Attacking the Core" 452.%D 2010 453.%I "Elsevier" 454.Re 455.\" 456.Rs 457.%A Erik Buchanan 458.%A Ryan Roemer 459.%A Hovav Shacham 460.%A Stefan Savage 461.%T "When Good Instructions Go Bad: \ 462Generalizing Return-Oriented Programming to RISC" 463.%P 27-38 464.%O CCS '08: Proceedings of the 15th ACM Conference \ 465on Computer and Communications Security 466.%I ACM Press 467.%D October 27-31, 2008 468.%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf 469.Re 470.\" 471.Rs 472.%A Sebastian Krahmer 473.%T "x86-64 Buffer Overflow Exploits and \ 474the Borrowed Code Chunks Exploitation Technique" 475.%D September 28, 2005 476.%U http://www.suse.de/~krahmer/no-nx.pdf 477.Re 478.Sh AUTHORS 479Many of the security features were pioneered by 480.An Elad Efrat Aq Mt elad@NetBSD.org . 481