mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 12:54:27 +00:00
mitigations.7: move SSP documentation from security.7 to here
Stack Smashing Protection (SSP) is a software vulnerability mitigation, and fits with this page. Add a note to the beginning of security.7 providing a more explicit cross reference to mitigations.7. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45435
This commit is contained in:
parent
4b72bab96e
commit
297bb39b6f
|
@ -25,7 +25,7 @@
|
||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd May 31, 2024
|
.Dd June 1, 2024
|
||||||
.Dt MITIGATIONS 7
|
.Dt MITIGATIONS 7
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -54,8 +54,8 @@ Write XOR Execute page protection policy
|
||||||
Relocation Read-Only (RELRO)
|
Relocation Read-Only (RELRO)
|
||||||
.It
|
.It
|
||||||
Bind Now
|
Bind Now
|
||||||
.\".It
|
.It
|
||||||
.\"Stack Smashing Protection (SSP)
|
Stack Overflow Protection
|
||||||
.It
|
.It
|
||||||
Supervisor Mode Memory Protection
|
Supervisor Mode Memory Protection
|
||||||
.It
|
.It
|
||||||
|
@ -232,7 +232,81 @@ preventing attacks on the relocation table.
|
||||||
Note that this results in a nonstandard Application Binary Interface (ABI),
|
Note that this results in a nonstandard Application Binary Interface (ABI),
|
||||||
and it is possible that some applications may not function correctly.
|
and it is possible that some applications may not function correctly.
|
||||||
.\"
|
.\"
|
||||||
.\".Ss Stack Smashing Protection (SSP)
|
.Ss Stack Overflow Protection
|
||||||
|
.Fx
|
||||||
|
supports stack overflow protection using the Stack Smashing Protector
|
||||||
|
.Pq SSP
|
||||||
|
compiler feature.
|
||||||
|
In userland, SSP adds a per-process randomized canary at the end of every stack
|
||||||
|
frame which is checked for corruption upon return from the function.
|
||||||
|
In the kernel, a single randomized canary is used globally except on aarch64,
|
||||||
|
which has a
|
||||||
|
.Dv PERTHREAD_SSP
|
||||||
|
.Xr config 8
|
||||||
|
option to enable per-thread randomized canaries.
|
||||||
|
If stack corruption is detected, then the process aborts to avoid potentially
|
||||||
|
malicious execution as a result of the corruption.
|
||||||
|
SSP may be enabled or disabled when building
|
||||||
|
.Fx
|
||||||
|
base with the
|
||||||
|
.Xr src.conf 5
|
||||||
|
SSP knob.
|
||||||
|
.Pp
|
||||||
|
When
|
||||||
|
.Va WITH_SSP
|
||||||
|
is enabled, which is the default, world is built with the
|
||||||
|
.Fl fstack-protector-strong
|
||||||
|
compiler option.
|
||||||
|
The kernel is built with the
|
||||||
|
.Fl fstack-protector
|
||||||
|
option.
|
||||||
|
.Pp
|
||||||
|
In addition to SSP, a
|
||||||
|
.Dq FORTIFY_SOURCE
|
||||||
|
implementation is supported up to level 2 by defining
|
||||||
|
.Va _FORTIFY_SOURCE
|
||||||
|
to
|
||||||
|
.Dv 1
|
||||||
|
or
|
||||||
|
.Dv 2
|
||||||
|
before including any
|
||||||
|
.Fx
|
||||||
|
headers.
|
||||||
|
.Fx
|
||||||
|
world builds can set
|
||||||
|
.Va FORTIFY_SOURCE
|
||||||
|
to provide a default value for
|
||||||
|
.Va _FORTIFY_SOURCE .
|
||||||
|
When enabled,
|
||||||
|
.Dq FORTIFY_SOURCE
|
||||||
|
enables extra bounds checking in various functions that accept buffers to be
|
||||||
|
written into.
|
||||||
|
These functions currently have extra bounds checking support:
|
||||||
|
.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink"
|
||||||
|
.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets
|
||||||
|
.It memcpy Ta memmove Ta memset Ta read Ta readlink
|
||||||
|
.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat
|
||||||
|
.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
.Dq FORTIFY_SOURCE
|
||||||
|
requires compiler support from
|
||||||
|
.Xr clang 1
|
||||||
|
or
|
||||||
|
.Xr gcc 1 ,
|
||||||
|
which provide the
|
||||||
|
.Xr __builtin_object_size 3
|
||||||
|
function that is used to determine the bounds of an object.
|
||||||
|
This feature works best at optimization levels
|
||||||
|
.Fl O1
|
||||||
|
and above, as some object sizes may be less obvious without some data that the
|
||||||
|
compiler would collect in an optimization pass.
|
||||||
|
.Pp
|
||||||
|
Similar to SSP, violating the bounds of an object will cause the program to
|
||||||
|
abort in an effort to avoid malicious execution.
|
||||||
|
This effectively provides finer-grained protection than SSP for some class of
|
||||||
|
function and system calls, along with some protection for buffers allocated as
|
||||||
|
part of the program data.
|
||||||
.\"
|
.\"
|
||||||
.Ss Supervisor mode memory protection
|
.Ss Supervisor mode memory protection
|
||||||
Certain processors include features that prevent unintended access to memory
|
Certain processors include features that prevent unintended access to memory
|
||||||
|
|
|
@ -26,13 +26,21 @@
|
||||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd October 5, 2023
|
.Dd June 1, 2024
|
||||||
.Dt SECURITY 7
|
.Dt SECURITY 7
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
.Nm security
|
.Nm security
|
||||||
.Nd introduction to security under FreeBSD
|
.Nd introduction to security under FreeBSD
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
|
See
|
||||||
|
.Xr mitigations 7
|
||||||
|
for a description of vulnerability mitigations in
|
||||||
|
.Fx .
|
||||||
|
This man page documents other
|
||||||
|
.Fx
|
||||||
|
security related topics.
|
||||||
|
.Pp
|
||||||
Security is a function that begins and ends with the system administrator.
|
Security is a function that begins and ends with the system administrator.
|
||||||
While all
|
While all
|
||||||
.Bx
|
.Bx
|
||||||
|
@ -939,81 +947,6 @@ option that SSH allows in its
|
||||||
.Pa authorized_keys
|
.Pa authorized_keys
|
||||||
file to make the key only usable to entities logging in from specific
|
file to make the key only usable to entities logging in from specific
|
||||||
machines.
|
machines.
|
||||||
.Sh STACK OVERFLOW PROTECTION
|
|
||||||
.Fx
|
|
||||||
supports stack overflow protection using the Stack Smashing Protector
|
|
||||||
.Pq SSP
|
|
||||||
compiler feature.
|
|
||||||
In userland, SSP adds a per-process randomized canary at the end of every stack
|
|
||||||
frame which is checked for corruption upon return from the function.
|
|
||||||
In the kernel, a single randomized canary is used globally except on aarch64,
|
|
||||||
which has a
|
|
||||||
.Dv PERTHREAD_SSP
|
|
||||||
.Xr config 8
|
|
||||||
option to enable per-thread randomized canaries.
|
|
||||||
If stack corruption is detected, then the process aborts to avoid potentially
|
|
||||||
malicious execution as a result of the corruption.
|
|
||||||
SSP may be enabled or disabled when building
|
|
||||||
.Fx
|
|
||||||
base with the
|
|
||||||
.Xr src.conf 5
|
|
||||||
SSP knob.
|
|
||||||
.Pp
|
|
||||||
When
|
|
||||||
.Va WITH_SSP
|
|
||||||
is enabled, which is the default, world is built with the
|
|
||||||
.Fl fstack-protector-strong
|
|
||||||
compiler option.
|
|
||||||
The kernel is built with the
|
|
||||||
.Fl fstack-protector
|
|
||||||
option.
|
|
||||||
.Pp
|
|
||||||
In addition to SSP, a
|
|
||||||
.Dq FORTIFY_SOURCE
|
|
||||||
implementation is supported up to level 2 by defining
|
|
||||||
.Va _FORTIFY_SOURCE
|
|
||||||
to
|
|
||||||
.Dv 1
|
|
||||||
or
|
|
||||||
.Dv 2
|
|
||||||
before including any
|
|
||||||
.Fx
|
|
||||||
headers.
|
|
||||||
.Fx
|
|
||||||
world builds can set
|
|
||||||
.Va FORTIFY_SOURCE
|
|
||||||
to provide a default value for
|
|
||||||
.Va _FORTIFY_SOURCE .
|
|
||||||
When enabled,
|
|
||||||
.Dq FORTIFY_SOURCE
|
|
||||||
enables extra bounds checking in various functions that accept buffers to be
|
|
||||||
written into.
|
|
||||||
These functions currently have extra bounds checking support:
|
|
||||||
.Bl -column -offset indent "snprintf" "memmove" "strncpy" "vsnprintf" "readlink"
|
|
||||||
.It bcopy Ta bzero Ta fgets Ta getcwd Ta gets
|
|
||||||
.It memcpy Ta memmove Ta memset Ta read Ta readlink
|
|
||||||
.It snprintf Ta sprintf Ta stpcpy Ta stpncpy Ta strcat
|
|
||||||
.It strcpy Ta strncat Ta strncpy Ta vsnprintf Ta vsprintf
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
.Dq FORTIFY_SOURCE
|
|
||||||
requires compiler support from
|
|
||||||
.Xr clang 1
|
|
||||||
or
|
|
||||||
.Xr gcc 1 ,
|
|
||||||
which provide the
|
|
||||||
.Xr __builtin_object_size 3
|
|
||||||
function that is used to determine the bounds of an object.
|
|
||||||
This feature works best at optimization levels
|
|
||||||
.Fl O1
|
|
||||||
and above, as some object sizes may be less obvious without some data that the
|
|
||||||
compiler would collect in an optimization pass.
|
|
||||||
.Pp
|
|
||||||
Similar to SSP, violating the bounds of an object will cause the program to
|
|
||||||
abort in an effort to avoid malicious execution.
|
|
||||||
This effectively provides finer-grained protection than SSP for some class of
|
|
||||||
function and system calls, along with some protection for buffers allocated as
|
|
||||||
part of the program data.
|
|
||||||
.Sh KNOBS AND TWEAKS
|
.Sh KNOBS AND TWEAKS
|
||||||
.Fx
|
.Fx
|
||||||
provides several knobs and tweak handles that make some introspection
|
provides several knobs and tweak handles that make some introspection
|
||||||
|
|
Loading…
Reference in a new issue