diff options
Diffstat (limited to 'security-blueprint/part-4/2-Memory.md')
-rw-r--r-- | security-blueprint/part-4/2-Memory.md | 36 |
1 files changed, 18 insertions, 18 deletions
diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md index 07ddbc9..9cc9c16 100644 --- a/security-blueprint/part-4/2-Memory.md +++ b/security-blueprint/part-4/2-Memory.md @@ -6,13 +6,13 @@ The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory. To disable the /dev/kmem file, which is very infrequently used by applications, the following kernel option should be set in the compile-time kernel configuration: -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | ---------------- | ------- Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n` -<!-- endconfig --> +<!-- end-section-config --> In case applications in userspace need /dev/kmem support, it should be available only for authenticated applications. @@ -22,13 +22,13 @@ In case applications in userspace need /dev/kmem support, it should be available This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives attackers a useful view into kernel memory. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------ | ------------------- | ------- Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -36,13 +36,13 @@ Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n` If not disabled, attackers can enable swap at runtime, add pressure to the memory subsystem and then scour the pages written to swap for useful information. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` -------------------- | ------------- | ------- Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -54,14 +54,14 @@ There is a /proc/kallsyms file which exposes the kernel memory space address of Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled; -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | --------------------- | ------- Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS` | `n` Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -73,13 +73,13 @@ This configuration is supported in **Linux 3.11 and greater** and thus should on This configuration also requires building the kernel with the **gcc compiler 4.2 or greater**. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` --------------------- | -------------------------- | ------- Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -89,13 +89,13 @@ The /dev/mem file in Linux systems is directly mapped to physical memory. This c This configuration is supported in **Linux 4.0 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ---------------------- | --------------- | ------- Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -107,25 +107,25 @@ Disable the process_vm_*v syscalls which allow one process to peek/poke the virt This configuration is supported in **Linux 3.5 and greater** and thus should only be disabled for such versions. -<!-- config --> +<!-- section-config --> Domain | `Config` name | `Value` ------------------------------ | --------------------- | ------- Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n` -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- ## Stack Smashing Attacks -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | _State_ ----------------------------- | ------------------------------- | -------- Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_ -<!-- endconfig --> +<!-- end-section-config --> Emit extra code to check for buffer overflows, such as stack smashing attacks. @@ -133,12 +133,12 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks. ## Detect Buffer Overflows -<!-- config --> +<!-- section-config --> Domain | `compiler` and `linker` options | `Value` ------------------------------- | ------------------------------- | ------- Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2` -<!-- endconfig --> +<!-- end-section-config --> Helps detect some buffer overflow errors. |