xref: /netbsd-src/share/man/man7/security.7 (revision 946379e7b37692fc43f68eb0d1c10daa0a7f3b6c)
1.\" $NetBSD: security.7,v 1.13 2015/06/14 16:56:36 christos Exp $
2.\"
3.\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.Dd June 14, 2015
29.Dt SECURITY 7
30.Os
31.Sh NAME
32.Nm security
33.Nd
34.Nx
35security features
36.Sh DESCRIPTION
37.Nx
38supports a variety of security features.
39Below is a brief description of them with some quick usage examples
40that will help you get started.
41.Pp
42Contents:
43.Pp
44.Bl -hyphen -compact -offset indent
45.It
46Veriexec
47.Pq file integrity
48.It
49Exploit mitigation
50.It
51Per-user
52.Pa /tmp
53directory
54.It
55Information filtering
56.It
57Administrative security
58.El
59.Ss Veriexec
60.Em Veriexec
61is a file integrity subsystem.
62.Pp
63For more information about it, and a quick guide on how to use it, please see
64.Xr veriexec 8 .
65.Pp
66In a nutshell, once enabled,
67.Em Veriexec
68can be started as follows:
69.Bd -literal -offset indent
70# veriexecgen \*[Am]\*[Am] veriexecctl load
71.Ed
72.Ss Exploit mitigation
73.Nx
74incorporates some exploit mitigation features.
75The purpose of exploit mitigation features is to interfere
76with the way exploits work, in order to prevent them from succeeding.
77Due to that, some features may have other impacts on the system, so be sure to
78fully understand the implications of each feature.
79.Pp
80.Nx
81provides the following exploit mitigation features:
82.Pp
83.Bl -hyphen -compact -offset indent
84.It
85.Tn PaX ASLR
86.Pq Address Space Layout Randomization .
87.It
88.Tn PaX MPROTECT
89.Xr ( mprotect 2
90restrictions)
91.It
92.Tn PaX SegvGuard
93.It
94.Xr gcc 1
95stack-smashing protection
96.Pq Tn SSP
97.It
98bounds checked libc functions
99.Pq Tn FORTIFY_SOURCE
100.It
101Protections against
102.Dv NULL
103pointer dereferences
104.El
105.Ss PaX ASLR
106.Em PaX ASLR
107implements Address Space Layout Randomization
108.Pq Tn ASLR ,
109meant to complement non-executable mappings.
110Its purpose is to harden prediction of the address space layout, namely
111location of library and application functions that can be used by an attacker
112to circumvent non-executable mappings by using a technique called
113.Dq return to library
114to bypass the need to write new code to (potentially executable) regions of
115memory.
116.Pp
117When
118.Em PaX ASLR
119is used, it is more likely the attacker will fail to predict the addresses of
120such functions, causing the application to segfault.
121To detect cases where an attacker might try and brute-force the return address
122of respawning services,
123.Em PaX Segvguard
124can be used (see below).
125.Pp
126For non-PIE
127.Pq Position Independent Executable
128executables, the
129.Nx
130.Em PaX ASLR
131implementation introduces randomization to the following memory regions:
132.Pp
133.Bl -enum -compact -offset indent
134.It
135The stack
136.El
137.Pp
138For
139.Tn PIE
140executables:
141.Pp
142.Bl -enum -compact -offset indent
143.It
144The program itself (exec base)
145.It
146All shared libraries
147.It
148The data segment
149.It
150The stack
151.El
152.Pp
153While it can be enabled globally,
154.Nx
155provides a tool,
156.Xr paxctl 8 ,
157to enable
158.Em PaX ASLR
159on a per-program basis.
160.Pp
161Example usage:
162.Bd -literal -offset indent
163# paxctl +A /usr/sbin/sshd
164.Ed
165.Pp
166Enabling
167.Em PaX ASLR
168globally:
169.Bd -literal -offset indent
170# sysctl -w security.pax.aslr.global=1
171.Ed
172.Ss PaX MPROTECT
173.Em PaX MPROTECT
174implements memory protection restrictions,
175meant to complement non-executable mappings.
176The purpose is to prevent situations where malicious code attempts to mark
177writable memory regions as executable, often by trashing arguments to an
178.Xr mprotect 2
179call.
180.Pp
181While it can be enabled globally,
182.Nx
183provides a tool,
184.Xr paxctl 8 ,
185to enable
186.Em PaX MPROTECT
187on a per-program basis.
188.Pp
189Example usage:
190.Bd -literal -offset indent
191# paxctl +M /usr/sbin/sshd
192.Ed
193.Pp
194Enabling
195.Em PaX MPROTECT
196globally:
197.Bd -literal -offset indent
198# sysctl -w security.pax.mprotect.global=1
199.Ed
200.Ss PaX Segvguard
201.Em PaX Segvguard
202monitors the number of segmentation faults in a program on a per-user basis,
203in an attempt to detect on-going exploitation attempts and possibly prevent
204them.
205For instance,
206.Em PaX Segvguard
207can help detect when an attacker tries to brute-force a function
208return address, when attempting to perform a return-to-lib attack.
209.Pp
210.Em PaX Segvguard
211consumes kernel memory, so use it wisely.
212While it provides rate-limiting protections, records are tracked for all
213users on a per-program basis, meaning that irresponsible use may result in
214tracking all segmentation faults in the system, possibly consuming all kernel
215memory.
216.Pp
217For this reason, it is highly recommended to have
218.Em PaX Segvguard
219enabled explicitly only for network services or
220other processes deemed as critical to system security.
221Enabling
222.Em PaX Segvguard
223explicitly works like this:
224.Bd -literal -offset indent
225# paxctl +G /usr/sbin/sshd
226.Ed
227.Pp
228However, a global knob is still provided, for use in strict environments
229with no local users (for example, some network appliances, embedded devices,
230and firewalls)
231.Bd -literal -offset indent
232# sysctl -w security.pax.segvguard.global=1
233.Ed
234.Pp
235Explicitly disabling
236.Em PaX Segvguard
237is also possible:
238.Bd -literal -offset indent
239# paxctl +g /bin/ls
240.Ed
241.Pp
242In addition,
243.Em PaX Segvguard
244provides several tunable options.
245For example, to limit a program to 5 segmentation faults from the same user in
246a 60 second timeframe:
247.Bd -literal -offset indent
248# sysctl -w security.pax.segvguard.max_crashes=5
249# sysctl -w security.pax.segvguard.expiry_timeout=60
250.Ed
251.Pp
252The number of seconds a user will be suspended from running the culprit
253program is also configurable.
254For example, 10 minutes seem like a sane setting:
255.Bd -literal -offset indent
256# sysctl -w security.pax.segvguard.suspend_timeout=600
257.Ed
258.Ss GCC Stack Smashing Protection ( SSP )
259As of
260.Nx 4.0 ,
261.Xr gcc 1
262includes
263.Em SSP ,
264a set of compiler extensions to raise the bar on exploitation attempts by
265detecting corruption of variables and buffer overruns, which may be used to
266affect program control flow.
267.Pp
268Upon detection of a buffer overrun,
269.Em SSP
270will immediately abort execution of the program and send a log message
271to
272.Xr syslog 3 .
273.Pp
274The system (userland and kernel) can be built with
275.Em SSP
276by using the
277.Dq USE_SSP
278flag in
279.Pa /etc/mk.conf :
280.Bd -literal -offset indent
281USE_SSP=yes
282.Ed
283.Pp
284You are encouraged to use
285.Em SSP
286for software you build, by providing one of the
287.Fl fstack-protector
288or
289.Fl fstack-protector-all
290flags to
291.Xr gcc 1 .
292Keep in mind, however, that
293.Em SSP
294will not work for functions that make use of
295.Xr alloca 3 ,
296as the latter modifies the stack size during run-time, while
297.Em SSP
298relies on it being a compile-time static.
299.Pp
300Use of
301.Em SSP
302is especially encouraged on platforms without per-page execute bit granularity
303such as i386.
304As of
305.Nx 6.0 ,
306.Em SSP
307is used by default on i386 and amd64 architectures.
308.Ss FORTIFY_SOURCE
309The so-called
310.Em FORTIFY_SOURCE
311is a relatively simple technique to detect a subset of buffer overflows
312before these can do damage.
313It is integrated to
314.Xr gcc 1
315together with some common memory and string functions in the standard
316C library of
317.Nx .
318.Pp
319The underlying idea builds on the observation that there are cases where
320the compiler knows the size of a buffer.
321If a buffer overflow is suspected in a function that does little or no
322bounds checking, either a compile time warning can be issued or a
323safer substitute function can be used at runtime.
324Refer to
325.Xr ssp 3
326for additional details.
327.Pp
328The
329.Em FORTIFY_SOURCE
330is enabled by default in some parts of the
331.Nx
332source tree.
333It is also possible to explicitly enable it by defining
334the following in
335.Xr mk.conf 5 :
336.Bd -literal -offset indent
337USE_FORT=yes
338.Ed
339.Ss Protections against NULL pointer dereferences
340A certain class of attacks rely on kernel bugs that dereference
341.Dv NULL
342pointers.
343If user processes are allowed to map the virtual address 0 with
344.Xr mmap 2
345or by other means, there is a risk that code or data
346can be injected into the kernel address space.
347.Pp
348In
349.Nx
350it is possible to restrict whether user processes are
351allowed to make mappings at the zero address.
352By default, address 0 mappings are restricted on all architectures.
353It is however known that some third-party programs
354may not function properly with the restriction.
355Such mappings can be allowed either by using the
356.Dv USER_VA0_DISABLE_DEFAULT
357kernel configuration option or by changing the following variable at runtime:
358.Bd -literal -offset indent
359# sysctl -w vm.user_va0_disable=0
360.Ed
361.Pp
362Note that if
363.Em securelevel
364(see
365.Xr secmodel_securelevel 9 )
366is greater than zero, it is not possible to change the
367.Xr sysctl 8
368variable.
369.Ss Per-user temporary storage
370It is possible to configure per-user temporary storage to avoid potential
371security issues (race conditions, etc.) in programs that do not make secure
372usage of
373.Pa /tmp .
374.Pp
375To enable per-user temporary storage, add the following line to
376.Xr rc.conf 5 :
377.Bd -literal -offset indent
378per_user_tmp=YES
379.Ed
380.Pp
381If
382.Pa /tmp
383is a mount point, you will also need to update its
384.Xr fstab 5
385entry to use
386.Dq /private/tmp
387(or whatever directory you want, if you override the default using the
388.Dq per_user_tmp_dir
389.Xr rc.conf 5
390keyword) instead of
391.Dq /tmp .
392.Pp
393Following that, run:
394.Bd -literal -offset indent
395# /etc/rc.d/perusertmp start
396.Ed
397.Pp
398The per-user temporary storage is implemented by using
399.Dq magic symlinks .
400These are further described in
401.Xr symlink 7 .
402.Ss Information filtering
403.Nx
404provides administrators the ability to restrict information passed from
405the kernel to userland so that users can only view information they
406.Dq own .
407.Pp
408The hooks that manage this restriction are located in various parts of the
409system and affect programs such as
410.Xr ps 1 ,
411.Xr fstat 1 ,
412and
413.Xr netstat 1 .
414Information filtering is enabled as follows:
415.Bd -literal -offset indent
416# sysctl -w security.curtain=1
417.Ed
418.Ss Administrative security
419Also certain administrative tasks are related to security.
420For instance, the daily maintenance script includes some basic
421consistency checks; see
422.Xr security.conf 5
423for more details.
424In particular, it is possible to configure
425.Nx
426to automatically audit all third-party packages installed via
427.Xr pkgsrc 7 .
428To audit for any known vulnerabilities on daily basis, set the following in
429.Pa /etc/daily.conf :
430.Bd -literal -offset indent
431fetch_pkg_vulnerabilities=YES
432.Ed
433.Sh SEE ALSO
434.Xr ssp 3 ,
435.Xr options 4 ,
436.Xr paxctl 8 ,
437.Xr sysctl 8 ,
438.Xr veriexec 8 ,
439.Xr kauth 9
440.\"
441.Rs
442.%A Joseph Kong
443.%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
444.%D 2007
445.%I "No Starch Press"
446.Re
447.\"
448.Rs
449.%A Enrico Perla
450.%A Massimiliano Oldani
451.%B "A Guide to Kernel Exploitation: Attacking the Core"
452.%D 2010
453.%I "Elsevier"
454.Re
455.\"
456.Rs
457.%A Erik Buchanan
458.%A Ryan Roemer
459.%A Hovav Shacham
460.%A Stefan Savage
461.%T "When Good Instructions Go Bad: \
462Generalizing Return-Oriented Programming to RISC"
463.%P 27-38
464.%O CCS '08: Proceedings of the 15th ACM Conference \
465on Computer and Communications Security
466.%I ACM Press
467.%D October 27-31, 2008
468.%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
469.Re
470.\"
471.Rs
472.%A Sebastian Krahmer
473.%T "x86-64 Buffer Overflow Exploits and \
474the Borrowed Code Chunks Exploitation Technique"
475.%D September 28, 2005
476.%U http://www.suse.de/~krahmer/no-nx.pdf
477.Re
478.Sh AUTHORS
479Many of the security features were pioneered by
480.An Elad Efrat Aq Mt elad@NetBSD.org .
481