summaryrefslogtreecommitdiffstats
path: root/security-blueprint/part-4/2-Memory.md
diff options
context:
space:
mode:
Diffstat (limited to 'security-blueprint/part-4/2-Memory.md')
-rw-r--r--security-blueprint/part-4/2-Memory.md36
1 files changed, 18 insertions, 18 deletions
diff --git a/security-blueprint/part-4/2-Memory.md b/security-blueprint/part-4/2-Memory.md
index 07ddbc9..9cc9c16 100644
--- a/security-blueprint/part-4/2-Memory.md
+++ b/security-blueprint/part-4/2-Memory.md
@@ -6,13 +6,13 @@ The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory.
To disable the /dev/kmem file, which is very infrequently used by applications, the following kernel option should be set in the compile-time kernel configuration:
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
------------------------------ | ---------------- | -------
Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
In case applications in userspace need /dev/kmem support, it should be available only for authenticated applications.
@@ -22,13 +22,13 @@ In case applications in userspace need /dev/kmem support, it should be available
This kernel configuration disables access to a kernel core dump from user space. If enabled, it gives attackers a useful view into kernel memory.
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
------------------------ | ------------------- | -------
Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -36,13 +36,13 @@ Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
If not disabled, attackers can enable swap at runtime, add pressure to the memory subsystem and then scour the pages written to swap for useful information.
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
-------------------- | ------------- | -------
Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -54,14 +54,14 @@ There is a /proc/kallsyms file which exposes the kernel memory space address of
Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled;
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
------------------------------ | --------------------- | -------
Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS` | `n`
Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -73,13 +73,13 @@ This configuration is supported in **Linux 3.11 and greater** and thus should on
This configuration also requires building the kernel with the **gcc compiler 4.2 or greater**.
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
--------------------- | -------------------------- | -------
Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -89,13 +89,13 @@ The /dev/mem file in Linux systems is directly mapped to physical memory. This c
This configuration is supported in **Linux 4.0 and greater** and thus should only be disabled for such versions.
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
---------------------- | --------------- | -------
Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -107,25 +107,25 @@ Disable the process_vm_*v syscalls which allow one process to peek/poke the virt
This configuration is supported in **Linux 3.5 and greater** and thus should only be disabled for such versions.
-<!-- config -->
+<!-- section-config -->
Domain | `Config` name | `Value`
------------------------------ | --------------------- | -------
Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n`
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
## Stack Smashing Attacks
-<!-- config -->
+<!-- section-config -->
Domain | `compiler` and `linker` options | _State_
----------------------------- | ------------------------------- | --------
Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_
-<!-- endconfig -->
+<!-- end-section-config -->
Emit extra code to check for buffer overflows, such as stack smashing attacks.
@@ -133,12 +133,12 @@ Emit extra code to check for buffer overflows, such as stack smashing attacks.
## Detect Buffer Overflows
-<!-- config -->
+<!-- section-config -->
Domain | `compiler` and `linker` options | `Value`
------------------------------- | ------------------------------- | -------
Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2`
-<!-- endconfig -->
+<!-- end-section-config -->
Helps detect some buffer overflow errors.