Index: share/man/man7/mitigations.7 =================================================================== --- /dev/null +++ share/man/man7/mitigations.7 @@ -0,0 +1,141 @@ +.\" Copyright © 2023 FreeBSD Foundation +.\" +.\" This documentation was written by Ed Maste under sponsorship of +.\" the FreeBSD Foundation. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" MITIGATIONS(7) - FreeBSD Security Mitigations +.\" +.Dd September 8, 2023 +.Dt MITIGATIONS 7 +.Os +.Sh NAME +.Nm Security Vulnerability Mitigations +.Nd FreeBSD Security Mitigations +.Sh SYNOPSIS +In FreeBSD, various security mitigations are employed to reduce the impact of +vulnerabilities and protect the system from malicious attacks. +This manual page provides an overview of these mitigations. +.Pp +The following security mitigations are covered in this document: +.Bl -bullet +.It +Address Space Layout Randomization (ASLR) +.It +Write XOR Execute +.El +.Pp +Please note that the effectiveness and availability of these mitigations may +vary depending on the FreeBSD version and system configuration. +.Sh DESCRIPTION +Security vulnerability mitigations are techniques employed in FreeBSD to +limit the potential impact of security vulnerabilities in software. +It is essential to understand that mitigations do not directly address the +underlying security issues in software and are not a substitute for secure +coding practices. +Mitigations serve as an additional layer of defense, helping to reduce the +likelihood of a successful exploitation of vulnerabilities by making it +more difficult for attackers to achieve their objectives. +.Pp +This manual page describes the security mitigations implemented in FreeBSD +to enhance the overall security of the operating system. +Each mitigation is designed to protect against specific types of attacks +and vulnerabilities. +.Ss Address Space Layout Randomization (ASLR) +Address Space Layout Randomization (ASLR) is a security mitigation technique +that works by randomizing the memory addresses where system and application +code, data, and libraries are loaded, making it significantly more challenging +for attackers to predict the memory layout and exploit vulnerabilities. +.Pp +ASLR introduces randomness into the memory layout during process execution, +effectively reducing the predictability of memory addresses. This means that +even if an attacker discovers a software vulnerability, such as a buffer +overflow, they are less likely to succeed in exploiting it because they cannot +reliably determine where specific functions or data structures are located in +memory. +.Pp +ASLR is a valuable defense against various types of attacks, including +stack-based and heap-based buffer overflows, return-oriented programming (ROP) +attacks, and others that rely on precise knowledge of memory layouts. +.Pp +ASLR is enabled via a separate set of +.Xr sysctl 8 +knobs, for 32- and 64-bit processes. +For 32-bit processes: +.Bl -tag -width kern.elf32.aslr.pie_enable +.It Dv kern.elf32.aslr.enable +Enable ASLR for 32-bit ELF binaries, other than Positiion Independent +Exectutable (PIE) binaries. +.It Dv kern.elf32.aslr.pie_enable +Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries. +.It Dv kern.elf32.aslr.honor_sbrk +Reserve the legacy +.Xr sbrk 2 +region for compatibility with older binaries. +.It Dv kern.elf32.aslr.stack +If ASLR is enabled for a process, also Randomize the stack location. +.El +.Pp +For 64-bit processes: +.Bl -tag -width kern.elf64.aslr.pie_enable +.It Dv kern.elf64.aslr.enable +Enable ASLR for 64-bit ELF binaries, other than Positiion Independent +Exectutable (PIE) binaries. +.It Dv kern.elf64.aslr.pie_enable +Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries. +.It Dv kern.elf64.aslr.honor_sbrk +Reserve the legacy +.Xr sbrk 2 +region for compatibility with older binaries. +.It Dv kern.elf64.aslr.stack +If ASLR is enabled for a process, also Randomize the stack location. +.El +.Ss Write XOR Execute +Write XOR Execute (W^X) is a vulnerability mitigation strategy that strengthens +the security of the system by controlling memory access permissions. +.Pp +Under the W^X mitigation, memory pages may be writable (W) or executable (E), +but not both at the same time. This means that code execution is prevented in +areas of memory that are designated as writable, and writing or modification of +memory is restricted in areas marked for execution. +.Pp +There are separate +.Xr sysctl 8 +knobs to control W^X policy enforcement for 32- and 64-bit processes. +The W^X policy is enabled by setting the appropriate +.Dv allow_wx +sysctl to 0. +.Bl -tag -width kern.elf64.allow_wx +.It Dv kern.elf32.allow_wx +Allow 32-bit processes to map pages simultaneously writable and excutable. +.It Dv kern.elf64.allow_wx +Allow 64-bit processes to map pages simultaneously writable and excutable. +.El +.Pp +The performance impact and threat models related to these mitigations +should be considered when configuring and deploying them in a FreeBSD system. +.Pp +.Sh SEE ALSO +.Xr sysctl.conf 5 , +.Xr security 7 , +.Xr sysctl 8