SOURCE和Linux安全保护机制

今天在编译一个软件的时候发现“FORTIFY_SOURCE”字样,搜了一把,找到了Fedora core对其安全机制进行介绍的页面。顺手转过来。

Fedora is the thought and action leader in many of the latest Linux security initiatives. The following security features were developed by Fedora engineers. In line with the Fedora policy, these security features have been pushed upstream and they are available to all Linux distributions who choose to take advantage of them.

For a table of which features are in particular Fedora versions, refer to

For Red Hat security information, refer to

Firewall by default

Fedora provides a default firewall that can limit both incoming and outgoing connections and Fedora 8 and above includes a very user friendly system-config-firewall utility.

Easy and Painless Administration: PolicyKit

Following all the other security enhancements comes PolicyKit .  !PolicyKit is a new toolkit from Fedora developers for controlling privileges of system-wide services. Instead of elevating privileges wholesale to the entire program when needed, !PolicyKit enables very fine grained isolation of higher privileges to small services or non-graphical utilities. This functionality is accessed by programs through a D-Bus interface in coordination with HAL, allowing administrators to control how users perform certain tasks, and which tasks they are allowed to perform. Support for !PolicyKit will be added to administrative tasks and tools throughout the distribution in an incremental fashion.

SELinux

Fedora is the first mainstream operating system to provide MAC (Mandatory Access Control) based security using SELinux enabled by default. SELinux was developed in partnership with the NSA (National Security Agency) – A US based goverment security organisation and Red Hat with developers from projects such as Gentoo and Debian. Security Enhanced Linux protects users and processes by watching all actions on the system, from opening a file to using a socket. Users may write their own SELinux security policies according to their risk tolerance. By default, Fedora runs a targeted security policy that protects network daemons that have a higher chance of being attacked. If compromised, these programs are extremely limited in the damage they can do, even if the root account is cracked.

For example, Apache is protected in four different ways. The executable for Apache, httpd, is protected at compile time by PIE and Exec-Shield. The executable binary file on the system is protected by ELF hardening. Finally, SELinux policies are in place so that if httpd is cracked, it can only append to the Apache logs and mangle content in specific directories; it cannot roam around home directories or otherwise interact with the rest of the system.

Fedora 8 and above offers Kiosk functionality via SELinux, among many new enhancements and security policy changes. We now have merged improvements from the strict policy to a single targeted policy package, and a separate strict policy is not available in Fedora anymore.

References:

https://fedoraproject.org/wiki/SELinux Exec-Shield No eXecute (NX)

Modern processors support a feature called NX which allows a system to control the execution of various portions of memory. Data memory is flagged as non-executable and program memory is flagged as non-writeable. This helps prevent certain types of buffer overflow exploits from working as expected.

Since not all processors support the NX feature, attempts have been made to support this feature via segment limits. A segment limit will prevent certain portions of memory from being executed. This provides very similar functionality to NX technology.

Position Independent Executables (PIE)

PIE is an Exec-Shield technology that allows a programmer to make the executable load at a different memory address each time it starts. Attackers cannot predict where the application will start, making it very hard to exploit. Not all packages are compiled as PIE executables in Fedora. Using PIE causes a fair amount of processing overhead, so only select packages are compiled as PIE executables.

Applications that are not compiled as PIE, still have a small amount of added protection. The usage of prelink does place binaries and libraries at known locations. Fedora contains a feature which runs prelink every two weeks at which time the memory locations of binaries and libraries is randomized. Applications that are compiled as PIE do not use prelink, all memory addresses are randomized with each execution.

References:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwszwj.html