SECURITY(7) | Miscellaneous Information Manual | SECURITY(7) |
Contents:
For more information about it, and a quick guide on how to use it, please see veriexec(8).
In a nutshell, once enabled, Veriexec can be started as follows:
# veriexecgen && veriexecctl load
NetBSD provides the following exploit mitigation features:
When PaX ASLR is used, it is more likely the attacker will fail to predict the addresses of such functions, causing the application to segfault. To detect cases where an attacker might try and brute-force the return address of respawning services, PaX Segvguard can be used (see below).
For non-PIE (Position Independent Executable) executables, the NetBSD PaX ASLR implementation introduces randomization to the following memory regions:
For PIE executables:
While it can be enabled globally, NetBSD provides a tool, paxctl(8), to enable PaX ASLR on a per-program basis.
Example usage:
# paxctl +A /usr/sbin/sshd
Enabling PaX ASLR globally:
# sysctl -w security.pax.aslr.global=1
While it can be enabled globally, NetBSD provides a tool, paxctl(8), to enable PaX MPROTECT on a per-program basis.
Example usage:
# paxctl +M /usr/sbin/sshd
Enabling PaX MPROTECT globally:
# sysctl -w security.pax.mprotect.global=1
PaX Segvguard consumes kernel memory, so use it wisely. While it provides rate-limiting protections, records are tracked for all users on a per-program basis, meaning that irresponsible use may result in tracking all segmentation faults in the system, possibly consuming all kernel memory.
For this reason, it is highly recommended to have PaX Segvguard enabled explicitly only for network services or other processes deemed as critical to system security. Enabling PaX Segvguard explicitly works like this:
# paxctl +G /usr/sbin/sshd
However, a global knob is still provided, for use in strict environments with no local users (for example, some network appliances, embedded devices, and firewalls)
# sysctl -w security.pax.segvguard.global=1
Explicitly disabling PaX Segvguard is also possible:
# paxctl +g /bin/ls
In addition, PaX Segvguard provides several tunable options. For example, to limit a program to 5 segmentation faults from the same user in a 60 second timeframe:
# sysctl -w security.pax.segvguard.max_crashes=5 # sysctl -w security.pax.segvguard.expiry_timeout=60
The number of seconds a user will be suspended from running the culprit program is also configurable. For example, 10 minutes seem like a sane setting:
# sysctl -w security.pax.segvguard.suspend_timeout=600
Upon detection of a buffer overrun, SSP will immediately abort execution of the program and send a log message to syslog(3).
The system (userland and kernel) can be built with SSP by using the “USE_SSP” flag in /etc/mk.conf:
USE_SSP=yes
You are encouraged to use SSP for software you build, by providing one of the -fstack-protector or -fstack-protector-all flags to gcc(1). Keep in mind, however, that SSP will not work for functions that make use of alloca(3), as the latter modifies the stack size during run-time, while SSP relies on it being a compile-time static.
Use of SSP is especially encouraged on platforms without per-page execute bit granularity such as i386. As of NetBSD 6.0, SSP is used by default on i386 and amd64 architectures.
The underlying idea builds on the observation that there are cases where the compiler knows the size of a buffer. If a buffer overflow is suspected in a function that does little or no bounds checking, either a compile time warning can be issued or a safer substitute function can be used at runtime. Refer to ssp(3) for additional details.
The FORTIFY_SOURCE is enabled by default in some parts of the NetBSD source tree. It is also possible to explicitly enable it by defining the following in mk.conf(5):
USE_FORT=yes
In NetBSD it is possible to restrict whether user processes are allowed to make mappings at the zero address. By default, address 0 mappings are restricted on the i386 and amd64 architectures. It is however known that some third-party programs may not function properly with the restriction. Such mappings can be allowed either by using the USER_VA0_DISABLE_DEFAULT kernel configuration option or by changing the following variable at runtime:
# sysctl -w vm.user_va0_disable=0
Note that if securelevel (see secmodel_securelevel(9)) is greater than zero, it is not possible to change the sysctl(8) variable.
To enable per-user temporary storage, add the following line to rc.conf(5):
per_user_tmp=YES
If /tmp is a mount point, you will also need to update its fstab(5) entry to use “/private/tmp” (or whatever directory you want, if you override the default using the “per_user_tmp_dir” rc.conf(5) keyword) instead of “/tmp”.
Following that, run:
# /etc/rc.d/perusertmp start
The per-user temporary storage is implemented by using “magic symlinks”. These are further described in symlink(7).
The hooks that manage this restriction are located in various parts of the system and affect programs such as ps(1), fstat(1), and netstat(1). Information filtering is enabled as follows:
# sysctl -w security.curtain=1
fetch_pkg_vulnerabilities=YES
Joseph Kong, Designing BSD Rootkits: An Introduction to Kernel Hacking, No Starch Press, 2007.
Enrico Perla and Massimiliano Oldani, A Guide to Kernel Exploitation: Attacking the Core, Elsevier, 2010.
Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage, When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC, ACM Press, 27-38, October 27-31, 2008, CCS '08: Proceedings of the 15th ACM Conference on Computer and Communications Security, http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf.
Sebastian Krahmer, x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique, September 28, 2005, http://www.suse.de/~krahmer/no-nx.pdf.
March 30, 2011 | NetBSD 6.1 |