xref: /netbsd-src/share/man/man7/security.7 (revision aad9773e38ed2370a628a6416e098f9008fc10a7) 
1.\" $NetBSD: security.7,v 1.11 2014/03/18 18:20:40 riastradh Exp $
2.\"
3.\" Copyright (c) 2006, 2011 Elad Efrat <elad@NetBSD.org>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. The name of the author may not be used to endorse or promote products
15.\"    derived from this software without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27.\"
28.Dd March 30, 2011
29.Dt SECURITY 7
30.Os
31.Sh NAME
32.Nm security
33.Nd
34.Nx
35security features
36.Sh DESCRIPTION
37.Nx
38supports a variety of security features.
39Below is a brief description of them with some quick usage examples
40that will help you get started.
41.Pp
42Contents:
43.Pp
44.Bl -hyphen -compact -offset indent
45.It
46Veriexec
47.Pq file integrity
48.It
49Exploit mitigation
50.It
51Per-user
52.Pa /tmp
53directory
54.It
55Information filtering
56.It
57Administrative security
58.El
59.Ss Veriexec
60.Em Veriexec
61is a file integrity subsystem.
62.Pp
63For more information about it, and a quick guide on how to use it, please see
64.Xr veriexec 8 .
65.Pp
66In a nutshell, once enabled,
67.Em Veriexec
68can be started as follows:
69.Bd -literal -offset indent
70# veriexecgen \*[Am]\*[Am] veriexecctl load
71.Ed
72.Ss Exploit mitigation
73.Nx
74incorporates some exploit mitigation features.
75The purpose of exploit mitigation features is to interfere
76with the way exploits work, in order to prevent them from succeeding.
77Due to that, some features may have other impacts on the system, so be sure to
78fully understand the implications of each feature.
79.Pp
80.Nx
81provides the following exploit mitigation features:
82.Pp
83.Bl -hyphen -compact -offset indent
84.It
85.Tn PaX ASLR
86.Pq Address Space Layout Randomization .
87.It
88.Tn PaX MPROTECT
89.Xr ( mprotect 2
90restrictions)
91.It
92.Tn PaX SegvGuard
93.It
94.Xr gcc 1
95stack-smashing protection
96.Pq Tn SSP
97.It
98bounds checked libc functions
99.Pq Tn FORTIFY_SOURCE
100.It
101Protections against
102.Dv NULL
103pointer dereferences
104.El
105.Ss PaX ASLR
106.Em PaX ASLR
107implements Address Space Layout Randomization
108.Pq Tn ASLR ,
109meant to complement non-executable mappings.
110Its purpose is to harden prediction of the address space layout, namely
111location of library and application functions that can be used by an attacker
112to circumvent non-executable mappings by using a technique called
113.Dq return to library
114to bypass the need to write new code to (potentially executable) regions of
115memory.
116.Pp
117When
118.Em PaX ASLR
119is used, it is more likely the attacker will fail to predict the addresses of
120such functions, causing the application to segfault.
121To detect cases where an attacker might try and brute-force the return address
122of respawning services,
123.Em PaX Segvguard
124can be used (see below).
125.Pp
126For non-PIE
127.Pq Position Independent Executable
128executables, the
129.Nx
130.Em PaX ASLR
131implementation introduces randomization to the following memory regions:
132.Pp
133.Bl -enum -compact -offset indent
134.It
135The data segment
136.It
137The stack
138.El
139.Pp
140For
141.Tn PIE
142executables:
143.Pp
144.Bl -enum -compact -offset indent
145.It
146The program itself (exec base)
147.It
148All shared libraries
149.It
150The data segment
151.It
152The stack
153.El
154.Pp
155While it can be enabled globally,
156.Nx
157provides a tool,
158.Xr paxctl 8 ,
159to enable
160.Em PaX ASLR
161on a per-program basis.
162.Pp
163Example usage:
164.Bd -literal -offset indent
165# paxctl +A /usr/sbin/sshd
166.Ed
167.Pp
168Enabling
169.Em PaX ASLR
170globally:
171.Bd -literal -offset indent
172# sysctl -w security.pax.aslr.global=1
173.Ed
174.Ss PaX MPROTECT
175.Em PaX MPROTECT
176implements memory protection restrictions,
177meant to complement non-executable mappings.
178The purpose is to prevent situations where malicious code attempts to mark
179writable memory regions as executable, often by trashing arguments to an
180.Xr mprotect 2
181call.
182.Pp
183While it can be enabled globally,
184.Nx
185provides a tool,
186.Xr paxctl 8 ,
187to enable
188.Em PaX MPROTECT
189on a per-program basis.
190.Pp
191Example usage:
192.Bd -literal -offset indent
193# paxctl +M /usr/sbin/sshd
194.Ed
195.Pp
196Enabling
197.Em PaX MPROTECT
198globally:
199.Bd -literal -offset indent
200# sysctl -w security.pax.mprotect.global=1
201.Ed
202.Ss PaX Segvguard
203.Em PaX Segvguard
204monitors the number of segmentation faults in a program on a per-user basis,
205in an attempt to detect on-going exploitation attempts and possibly prevent
206them.
207For instance,
208.Em PaX Segvguard
209can help detect when an attacker tries to brute-force a function
210return address, when attempting to perform a return-to-lib attack.
211.Pp
212.Em PaX Segvguard
213consumes kernel memory, so use it wisely.
214While it provides rate-limiting protections, records are tracked for all
215users on a per-program basis, meaning that irresponsible use may result in
216tracking all segmentation faults in the system, possibly consuming all kernel
217memory.
218.Pp
219For this reason, it is highly recommended to have
220.Em PaX Segvguard
221enabled explicitly only for network services or
222other processes deemed as critical to system security.
223Enabling
224.Em PaX Segvguard
225explicitly works like this:
226.Bd -literal -offset indent
227# paxctl +G /usr/sbin/sshd
228.Ed
229.Pp
230However, a global knob is still provided, for use in strict environments
231with no local users (for example, some network appliances, embedded devices,
232and firewalls)
233.Bd -literal -offset indent
234# sysctl -w security.pax.segvguard.global=1
235.Ed
236.Pp
237Explicitly disabling
238.Em PaX Segvguard
239is also possible:
240.Bd -literal -offset indent
241# paxctl +g /bin/ls
242.Ed
243.Pp
244In addition,
245.Em PaX Segvguard
246provides several tunable options.
247For example, to limit a program to 5 segmentation faults from the same user in
248a 60 second timeframe:
249.Bd -literal -offset indent
250# sysctl -w security.pax.segvguard.max_crashes=5
251# sysctl -w security.pax.segvguard.expiry_timeout=60
252.Ed
253.Pp
254The number of seconds a user will be suspended from running the culprit
255program is also configurable.
256For example, 10 minutes seem like a sane setting:
257.Bd -literal -offset indent
258# sysctl -w security.pax.segvguard.suspend_timeout=600
259.Ed
260.Ss GCC Stack Smashing Protection ( SSP )
261As of
262.Nx 4.0 ,
263.Xr gcc 1
264includes
265.Em SSP ,
266a set of compiler extensions to raise the bar on exploitation attempts by
267detecting corruption of variables and buffer overruns, which may be used to
268affect program control flow.
269.Pp
270Upon detection of a buffer overrun,
271.Em SSP
272will immediately abort execution of the program and send a log message
273to
274.Xr syslog 3 .
275.Pp
276The system (userland and kernel) can be built with
277.Em SSP
278by using the
279.Dq USE_SSP
280flag in
281.Pa /etc/mk.conf :
282.Bd -literal -offset indent
283USE_SSP=yes
284.Ed
285.Pp
286You are encouraged to use
287.Em SSP
288for software you build, by providing one of the
289.Fl fstack-protector
290or
291.Fl fstack-protector-all
292flags to
293.Xr gcc 1 .
294Keep in mind, however, that
295.Em SSP
296will not work for functions that make use of
297.Xr alloca 3 ,
298as the latter modifies the stack size during run-time, while
299.Em SSP
300relies on it being a compile-time static.
301.Pp
302Use of
303.Em SSP
304is especially encouraged on platforms without per-page execute bit granularity
305such as i386.
306As of
307.Nx 6.0 ,
308.Em SSP
309is used by default on i386 and amd64 architectures.
310.Ss FORTIFY_SOURCE
311The so-called
312.Em FORTIFY_SOURCE
313is a relatively simple technique to detect a subset of buffer overflows
314before these can do damage.
315It is integrated to
316.Xr gcc 1
317together with some common memory and string functions in the standard
318C library of
319.Nx .
320.Pp
321The underlying idea builds on the observation that there are cases where
322the compiler knows the size of a buffer.
323If a buffer overflow is suspected in a function that does little or no
324bounds checking, either a compile time warning can be issued or a
325safer substitute function can be used at runtime.
326Refer to
327.Xr ssp 3
328for additional details.
329.Pp
330The
331.Em FORTIFY_SOURCE
332is enabled by default in some parts of the
333.Nx
334source tree.
335It is also possible to explicitly enable it by defining
336the following in
337.Xr mk.conf 5 :
338.Bd -literal -offset indent
339USE_FORT=yes
340.Ed
341.Ss Protections against NULL pointer dereferences
342A certain class of attacks rely on kernel bugs that dereference
343.Dv NULL
344pointers.
345If user processes are allowed to map the virtual address 0 with
346.Xr mmap 2
347or by other means, there is a risk that code or data
348can be injected into the kernel address space.
349.Pp
350In
351.Nx
352it is possible to restrict whether user processes are
353allowed to make mappings at the zero address.
354By default, address 0 mappings are restricted
355on the i386 and amd64 architectures.
356It is however known that some third-party programs
357may not function properly with the restriction.
358Such mappings can be allowed either by using the
359.Dv USER_VA0_DISABLE_DEFAULT
360kernel configuration option or by changing the following variable at runtime:
361.Bd -literal -offset indent
362# sysctl -w vm.user_va0_disable=0
363.Ed
364.Pp
365Note that if
366.Em securelevel
367(see
368.Xr secmodel_securelevel 9 )
369is greater than zero, it is not possible to change the
370.Xr sysctl 8
371variable.
372.Ss Per-user temporary storage
373It is possible to configure per-user temporary storage to avoid potential
374security issues (race conditions, etc.) in programs that do not make secure
375usage of
376.Pa /tmp .
377.Pp
378To enable per-user temporary storage, add the following line to
379.Xr rc.conf 5 :
380.Bd -literal -offset indent
381per_user_tmp=YES
382.Ed
383.Pp
384If
385.Pa /tmp
386is a mount point, you will also need to update its
387.Xr fstab 5
388entry to use
389.Dq /private/tmp
390(or whatever directory you want, if you override the default using the
391.Dq per_user_tmp_dir
392.Xr rc.conf 5
393keyword) instead of
394.Dq /tmp .
395.Pp
396Following that, run:
397.Bd -literal -offset indent
398# /etc/rc.d/perusertmp start
399.Ed
400.Pp
401The per-user temporary storage is implemented by using
402.Dq magic symlinks .
403These are further described in
404.Xr symlink 7 .
405.Ss Information filtering
406.Nx
407provides administrators the ability to restrict information passed from
408the kernel to userland so that users can only view information they
409.Dq own .
410.Pp
411The hooks that manage this restriction are located in various parts of the
412system and affect programs such as
413.Xr ps 1 ,
414.Xr fstat 1 ,
415and
416.Xr netstat 1 .
417Information filtering is enabled as follows:
418.Bd -literal -offset indent
419# sysctl -w security.curtain=1
420.Ed
421.Ss Administrative security
422Also certain administrative tasks are related to security.
423For instance, the daily maintenance script includes some basic
424consistency checks; see
425.Xr security.conf 5
426for more details.
427In particular, it is possible to configure
428.Nx
429to automatically audit all third-party packages installed via
430.Xr pkgsrc 7 .
431To audit for any known vulnerabilities on daily basis, set the following in
432.Pa /etc/daily.conf :
433.Bd -literal -offset indent
434fetch_pkg_vulnerabilities=YES
435.Ed
436.Sh SEE ALSO
437.Xr ssp 3 ,
438.Xr options 4 ,
439.Xr paxctl 8 ,
440.Xr sysctl 8 ,
441.Xr veriexec 8 ,
442.Xr kauth 9
443.\"
444.Rs
445.%A Joseph Kong
446.%B "Designing BSD Rootkits: An Introduction to Kernel Hacking"
447.%D 2007
448.%I "No Starch Press"
449.Re
450.\"
451.Rs
452.%A Enrico Perla
453.%A Massimiliano Oldani
454.%B "A Guide to Kernel Exploitation: Attacking the Core"
455.%D 2010
456.%I "Elsevier"
457.Re
458.\"
459.Rs
460.%A Erik Buchanan
461.%A Ryan Roemer
462.%A Hovav Shacham
463.%A Stefan Savage
464.%T "When Good Instructions Go Bad: \
465Generalizing Return-Oriented Programming to RISC"
466.%P 27-38
467.%O CCS '08: Proceedings of the 15th ACM Conference \
468on Computer and Communications Security
469.%I ACM Press
470.%D October 27-31, 2008
471.%U http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf
472.Re
473.\"
474.Rs
475.%A Sebastian Krahmer
476.%T "x86-64 Buffer Overflow Exploits and \
477the Borrowed Code Chunks Exploitation Technique"
478.%D September 28, 2005
479.%U http://www.suse.de/~krahmer/no-nx.pdf
480.Re
481.Sh AUTHORS
482Many of the security features were pioneered by
483.An Elad Efrat Aq Mt elad@NetBSD.org .
484