# FreeBSD Protections



## vnd (Dec 20, 2010)

Hi guys, I'm new in *BSD systems and I would like to gain some information.

Could anyone tell me how FreeBSD looks from security point of view in comparison to Linux patched with Pax+GRSecurity? I've heard that there're less vulnerabilities in the BSD kernel than in the Linux one, but how does it look in the userland? Does FreeBSD implements by itself any additional protections against heap overflows/race conditions?

I'm running Gentoo on hardened-sources since four years and I'm looking for some new experiences. I was trying to find some useful infos on the web but I haven't find anything interesting in this topic, so I ask you to help me. Sorry for trouble.


----------



## vermaden (Dec 20, 2010)

Check these chapters mate:
http://freebsd.org/handbook/security.html
http://freebsd.org/handbook/jails.html
http://freebsd.org/handbook/mac.html
http://freebsd.org/handbook/audit.html


----------



## UNIXgod (Dec 20, 2010)

For userland you can install portaudit which will send in periodic problems detected as vulnerabilities pop up.

Most people run their userland apps in security jails which is basically like chroot on steroids. Anything compromise in the jailed environments cant access outside that environment.

We also have different firewalls than linux as well as a dedicated security team.

http://www.freebsd.org/security/


----------



## vnd (Dec 20, 2010)

Thanks for quick responses. I've read most of the chapters in the handbook some time ago but I'm looking for something which would describes more technical security aspects. Unfortunately there're no notes about protection systems used by FreeBSD like canaries or mprotect restrictions. Is there any place (excluding kernel sources) where it is possible to read about it?

btw. I've heard about jails, it was one of the first things which encourage me to look carefully at BSD systems.


----------



## SirDice (Dec 20, 2010)

vnd said:
			
		

> Unfortunately there're no notes about protection systems used by FreeBSD like canaries or mprotect restrictions.


Since version 8.0 FreeBSD uses SSP.


----------



## dandelion (Dec 22, 2010)

- GCC's stack smashing protection is not enabled for ports yet, PR ports/138228. Unlike Ubuntu or NetBSD we don't use compile-time protection, i.e. -D_FORTIFY_SOURCE.
- randomized mmap() base is not committed yet, see recent post on arch@
- VDSO is not there yet and there are a few people that don't like how it's implemented

What security features do *you* need? But don't use umbrella terms for a set of patches like PaX or grsecurity. For example, smth like Veriexec can be achieved through MAC, i.e. mac_chkexec.


----------

