Page MenuHomeFreeBSD
Files F143177754

D41794.id127163.diff
No OneTemporary
Actions

D41794.id127163.diff
View Options

Index: share/man/man7/mitigations.7
===================================================================
--- /dev/null
+++ share/man/man7/mitigations.7
@@ -0,0 +1,141 @@
+.\" Copyright © 2023 FreeBSD Foundation
+.\"
+.\" This documentation was written by Ed Maste under sponsorship of
+.\" the FreeBSD Foundation.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" MITIGATIONS(7) - FreeBSD Security Mitigations
+.\"
+.Dd September 8, 2023
+.Dt MITIGATIONS 7
+.Os
+.Sh NAME
+.Nm Security Vulnerability Mitigations
+.Nd FreeBSD Security Mitigations
+.Sh SYNOPSIS
+In FreeBSD, various security mitigations are employed to reduce the impact of
+vulnerabilities and protect the system from malicious attacks.
+This manual page provides an overview of these mitigations.
+.Pp
+The following security mitigations are covered in this document:
+.Bl -bullet
+.It
+Address Space Layout Randomization (ASLR)
+.It
+Write XOR Execute
+.El
+.Pp
+Please note that the effectiveness and availability of these mitigations may
+vary depending on the FreeBSD version and system configuration.
+.Sh DESCRIPTION
+Security vulnerability mitigations are techniques employed in FreeBSD to
+limit the potential impact of security vulnerabilities in software.
+It is essential to understand that mitigations do not directly address the
+underlying security issues in software and are not a substitute for secure
+coding practices.
+Mitigations serve as an additional layer of defense, helping to reduce the
+likelihood of a successful exploitation of vulnerabilities by making it
+more difficult for attackers to achieve their objectives.
+.Pp
+This manual page describes the security mitigations implemented in FreeBSD
+to enhance the overall security of the operating system.
+Each mitigation is designed to protect against specific types of attacks
+and vulnerabilities.
+.Ss Address Space Layout Randomization (ASLR)
+Address Space Layout Randomization (ASLR) is a security mitigation technique
+that works by randomizing the memory addresses where system and application
+code, data, and libraries are loaded, making it significantly more challenging
+for attackers to predict the memory layout and exploit vulnerabilities.
+.Pp
+ASLR introduces randomness into the memory layout during process execution,
+effectively reducing the predictability of memory addresses. This means that
+even if an attacker discovers a software vulnerability, such as a buffer
+overflow, they are less likely to succeed in exploiting it because they cannot
+reliably determine where specific functions or data structures are located in
+memory.
+.Pp
+ASLR is a valuable defense against various types of attacks, including
+stack-based and heap-based buffer overflows, return-oriented programming (ROP)
+attacks, and others that rely on precise knowledge of memory layouts.
+.Pp
+ASLR is enabled via a separate set of
+.Xr sysctl 8
+knobs, for 32- and 64-bit processes.
+For 32-bit processes:
+.Bl -tag -width kern.elf32.aslr.pie_enable
+.It Dv kern.elf32.aslr.enable
+Enable ASLR for 32-bit ELF binaries, other than Positiion Independent
+Exectutable (PIE) binaries.
+.It Dv kern.elf32.aslr.pie_enable
+Enable ASLR for 32-bit Position Independent Executable (PIE) ELF binaries.
+.It Dv kern.elf32.aslr.honor_sbrk
+Reserve the legacy
+.Xr sbrk 2
+region for compatibility with older binaries.
+.It Dv kern.elf32.aslr.stack
+If ASLR is enabled for a process, also Randomize the stack location.
+.El
+.Pp
+For 64-bit processes:
+.Bl -tag -width kern.elf64.aslr.pie_enable
+.It Dv kern.elf64.aslr.enable
+Enable ASLR for 64-bit ELF binaries, other than Positiion Independent
+Exectutable (PIE) binaries.
+.It Dv kern.elf64.aslr.pie_enable
+Enable ASLR for 64-bit Position Independent Executable (PIE) ELF binaries.
+.It Dv kern.elf64.aslr.honor_sbrk
+Reserve the legacy
+.Xr sbrk 2
+region for compatibility with older binaries.
+.It Dv kern.elf64.aslr.stack
+If ASLR is enabled for a process, also Randomize the stack location.
+.El
+.Ss Write XOR Execute
+Write XOR Execute (W^X) is a vulnerability mitigation strategy that strengthens
+the security of the system by controlling memory access permissions.
+.Pp
+Under the W^X mitigation, memory pages may be writable (W) or executable (E),
+but not both at the same time. This means that code execution is prevented in
+areas of memory that are designated as writable, and writing or modification of
+memory is restricted in areas marked for execution.
+.Pp
+There are separate
+.Xr sysctl 8
+knobs to control W^X policy enforcement for 32- and 64-bit processes.
+The W^X policy is enabled by setting the appropriate
+.Dv allow_wx
+sysctl to 0.
+.Bl -tag -width kern.elf64.allow_wx
+.It Dv kern.elf32.allow_wx
+Allow 32-bit processes to map pages simultaneously writable and excutable.
+.It Dv kern.elf64.allow_wx
+Allow 64-bit processes to map pages simultaneously writable and excutable.
+.El
+.Pp
+The performance impact and threat models related to these mitigations
+should be considered when configuring and deploying them in a FreeBSD system.
+.Pp
+.Sh SEE ALSO
+.Xr sysctl.conf 5 ,
+.Xr security 7 ,
+.Xr sysctl 8

File Metadata

Mime Type
text/plain
Expires
Wed, Jan 28, 12:14 AM (9 h, 23 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28061466
Default Alt Text
D41794.id127163.diff (6 KB)

Event Timeline