Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.1.0 Debian 12.11.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.0 macOS 15.7 macOS 14.8 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

MITIGATIONS(7)		Miscellaneous Information Manual	MITIGATIONS(7)

NAME
       mitigations -- FreeBSD Security Vulnerability Mitigations

SYNOPSIS
       In  FreeBSD, various security mitigations are employed to limit the im-
       pact of vulnerabilities and protect the system from malicious  attacks.
       Some  of	 these	mitigations have run-time controls to enable them on a
       global or per-process basis, some are optionally	enabled	or disabled at
       compile time, and some are inherent to the implementation and  have  no
       controls.

       The following vulnerability mitigations are covered in this document:

       •   Address Space Layout	Randomization (ASLR)
       •   Position Independent	Executable (PIE)
       •   Write XOR Execute page protection policy
       •   PROT_MAX
       •   Relocation Read-Only	(RELRO)
       •   Bind	Now
       •   Stack Overflow Protection
       •   Supervisor Mode Memory Protection
       •   Capsicum
       •   Firmware and	Microcode
       •   Architectural Vulnerability Mitigations

       Please  note  that  the effectiveness and availability of these mitiga-
       tions may vary depending	on the FreeBSD version and  system  configura-
       tion.

DESCRIPTION
       Security	 vulnerability	mitigations are	techniques employed in FreeBSD
       to limit	the potential impact of	security vulnerabilities  in  software
       and  hardware.	It  is essential to understand that mitigations	do not
       directly	address	the underlying security	issues.	 They are not  a  sub-
       stitute	for  secure  coding  practices.	 Mitigations serve as an addi-
       tional layer of defense,	helping	to reduce the likelihood of a success-
       ful exploitation	of vulnerabilities by making it	more difficult for at-
       tackers to achieve their	objectives.

       This manual page	describes  the	security  mitigations  implemented  in
       FreeBSD	to enhance the overall security	of the operating system.  Each
       mitigation is designed to protect against specific types	of attacks and
       vulnerabilities.

SOFTWARE VULNERABILITY MITIGATIONS
   Address Space Layout	Randomization (ASLR)
       Address Space Layout Randomization  (ASLR)  is  a  security  mitigation
       technique  that	works by randomizing the memory	addresses where	system
       and application code, data, and libraries are loaded,  making  it  more
       challenging for attackers to predict the	memory layout and exploit vul-
       nerabilities.

       ASLR introduces randomness into the memory layout during	process	execu-
       tion,  reducing	the  predictability  of	memory addresses.  ASLR	is in-
       tended to make exploitation more	difficult in the  event	 that  an  at-
       tacker discovers	a software vulnerability, such as a buffer overflow.

       ASLR  can  be  enabled  on both a global	and per-process	basis.	Global
       control is provided by a	separate set of	sysctl(8) knobs	 for  32-  and
       64-bit  processes.   It	can  be	or disabled on a per-process basis via
       proccontrol(1).	Note that an ASLR mode change takes  effect  upon  ad-
       dress space change, i.e., upon execve(2).

       Global controls for 32-bit processes:

       kern.elf32.aslr.enable	   Enable  ASLR	for 32-bit ELF binaries, other
				   than	Position Independent Exectutable (PIE)
				   binaries.

       kern.elf32.aslr.pie_enable  Enable ASLR for 32-bit Position Independent
				   Executable (PIE) ELF	binaries.

       kern.elf32.aslr.honor_sbrk  Reserve the legacy sbrk(2) region for  com-
				   patibility with older binaries.

       kern.elf32.aslr.stack	   Randomize the stack location	for 32-bit ELF
				   binaries.

       Global controls for 64-bit processes:

       kern.elf64.aslr.enable	   Enable  ASLR	for 64-bit ELF binaries, other
				   than	Position Independent Exectutable (PIE)
				   binaries.

       kern.elf64.aslr.pie_enable  Enable ASLR for 64-bit Position Independent
				   Executable (PIE) ELF	binaries.

       kern.elf64.aslr.honor_sbrk  Reserve the legacy sbrk(2) region for  com-
				   patibility with older binaries.

       kern.elf64.aslr.stack	   Randomize the stack location	for 64-bit ELF
				   binaries.

       To execute a command with ASLR enabled or disabled:

       proccontrol -m aslr [-s enable |	disable] command

   Position Independent	Executable (PIE)
       PIE  binaries  are  executable  files that do not have a	fixed load ad-
       dress.  They can	be loaded  at  an  arbitrary  memory  address  by  the
       rtld(1) run-time	linker.	 With ASLR they	are loaded at a	random address
       on each execution.

   Write XOR Execute page protection policy
       Write  XOR  Execute  (W^X)  is a	vulnerability mitigation strategy that
       strengthens the security	of the system  by  controlling	memory	access
       permissions.

       Under  the  W^X	mitigation,  memory  pages may be writable (W) or exe-
       cutable (E), but	not both at the	same time.  This means that code  exe-
       cution is prevented in areas of memory that are designated as writable,
       and writing or modification of memory is	restricted in areas marked for
       execution.   Applications  that	perform	Just In	Time (JIT) compilation
       need to be adapted to be	compatible with	W^X.

       There are separate sysctl(8) knobs to control  W^X  policy  enforcement
       for 32- and 64-bit processes.  The W^X policy is	enabled	by setting the
       appropriate allow_wx sysctl to 0.

       kern.elf32.allow_wx  Allow 32-bit processes to map pages	simultaneously
			    writable and executable.

       kern.elf64.allow_wx  Allow 64-bit processes to map pages	simultaneously
			    writable and executable.

   PROT_MAX
       PROT_MAX	is a FreeBSD-specific extension	to mmap(2).  PROT_MAX provides
       the  ability  to	 set  the  maximum protection of a region allocated by
       mmap(2) and later altered by mprotect(2).  For  example,	 memory	 allo-
       cated  originally  with	an  mmap prot argument of PROT_MAX(PROT_READ |
       PROT_WRITE) | PROT_READ may be made writable by	a  future  mprotect(2)
       call, but may not be made executable.

   Relocation Read-Only	(RELRO)
       Relocation  Read-Only  (RELRO)  is a mitigation tool that makes certain
       portions	of a program's address space that contain ELF  metadata	 read-
       only, after relocation processing by rtld(1).

       When  enabled in	isolation the RELRO option provides partial RELRO sup-
       port.  In this case the Procedure Linkage Table (PLT)-related  part  of
       the Global Offset Table (GOT) (in the section typically named .got.plt)
       remains writable.

       RELRO  is  enabled  by  default.	  The  src.conf(5)  build-time	option
       WITHOUT_RELRO may be used to disable it.

   BIND_NOW
       The WITH_BIND_NOW src.conf(5) build-time	option causes binaries	to  be
       built  with the DF_BIND_NOW flag	set.  The run-time loader rtld(1) will
       then perform all	relocation processing when the process starts, instead
       of on demand (on	the first access to each symbol).

       When enabled in combination with	RELRO (which is	 enabled  by  default)
       this  provides full RELRO.  The entire GOT (.got	and .got.plt) are made
       read-only at program startup, preventing	attacks	on the relocation  ta-
       ble.  Note that this results in a nonstandard Application Binary	Inter-
       face  (ABI), and	it is possible that some applications may not function
       correctly.

   Stack Overflow Protection
       FreeBSD supports	stack overflow protection  using  the  Stack  Smashing
       Protector  (SSP)	compiler feature.  In userland,	SSP adds a per-process
       randomized canary at the	end of every stack frame which is checked  for
       corruption upon return from the function.  In the kernel, a single ran-
       domized	canary	is  used  globally  except  on	aarch64,  which	 has a
       PERTHREAD_SSP config(8) option  to  enable  per-thread  randomized  ca-
       naries.	 If  stack  corruption is detected, then the process aborts to
       avoid potentially malicious execution as	a result  of  the  corruption.
       SSP  may	 be  enabled  or  disabled when	building FreeBSD base with the
       src.conf(5) SSP knob.

       When WITH_SSP is	enabled, which is the default, world is	built with the
       -fstack-protector-strong	compiler option.  The kernel is	built with the
       -fstack-protector option.

       In addition to SSP, a "FORTIFY_SOURCE" implementation is	 supported  up
       to  level  2 by defining	_FORTIFY_SOURCE	to 1 or	2 before including any
       FreeBSD headers.	 FreeBSD world builds can set FORTIFY_SOURCE  to  pro-
       vide    a   default   value   for   _FORTIFY_SOURCE.    When   enabled,
       "FORTIFY_SOURCE"	enables	extra bounds  checking	in  various  functions
       that accept buffers to be written into.	These functions	currently have
       extra bounds checking support:

	     bcopy()	  bzero()     fgets()	  getcwd()	gets()
	     memcpy()	  memmove()   memset()	  read()	readlink()
	     snprintf()	  sprintf()   stpcpy()	  stpncpy()	strcat()
	     strcpy()	  strncat()   strncpy()	  vsnprintf()	vsprintf()

       "FORTIFY_SOURCE"	 requires  compiler  support  from clang(1) or gcc(1),
       which provide the __builtin_object_size(3) function that	is used	to de-
       termine the bounds of an	object.	 This feature works best at  optimiza-
       tion  levels  -O1  and  above, as some object sizes may be less obvious
       without some data that the compiler would collect  in  an  optimization
       pass.

       Similar	to  SSP, violating the bounds of an object will	cause the pro-
       gram to abort in	an effort to avoid malicious execution.	  This	effec-
       tively  provides	 finer-grained	protection  than SSP for some class of
       function	and system calls, along	with some protection for buffers allo-
       cated as	part of	the program data.

   Supervisor mode memory protection
       Certain processors include features that	prevent	unintended  access  to
       memory  pages accessible	to userspace (non-privileged) code, while in a
       privileged mode.	 One feature prevents execution, intended to  mitigate
       exploitation  of	kernel vulnerabilities from userland.  Another feature
       prevents	unintended reads from or writes	to user	space memory from  the
       kernel.	 This  also provides effective protection against NULL pointer
       dereferences from kernel.

	     Architecture    Feature	Access Type Prevented
	     amd64	     SMAP	Read / Write
	     amd64	     SMEP	Execute
	     arm64	     PAN	Read / Write
	     arm64	     PXN	Execute
	     riscv	     SUM	Read / Write
	     riscv	     -		Execute

       These features are automatically	used by	the kernel.  There is no user-
       facing configuration.

   Capsicum
       Capsicum	is a lightweight OS capability	and  sandbox  framework.   See
       capsicum(4) for more information.

HARDWARE VULNERABILITY MITIGATIONS
   Firmware and	Microcode
       Recent  years have seen an unending stream of new hardware vulnerabili-
       ties, notably CPU ones generally	caused	by  detectable	microarchitec-
       tural  side-effects  of	speculative  execution which leak private data
       from some other thread or process or sometimes even internal CPU	 state
       that  is	normally inaccessible.	Hardware vendors usually address these
       vulnerabilities as they are discovered by releasing microcode  updates,
       which  may then be bundled into platform	firmware updates (historically
       called BIOS updates for PCs) or packages	to be updated by the operating
       system at boot time.

       Platform	firmware updates, if available from the	manufacturer, are  the
       best  defense as	they provide coverage during early boot.  Install them
       with sysutils/flashrom from the FreeBSD Ports Collection.

       If platform firmware updates are	no longer available, packaged  microc-
       ode  is available for installation at sysutils/cpu-microcode and	can be
       loaded at runtime using loader.conf(5), see  the	 package  message  for
       more details.

       The  best defense overall against hardware vulnerabilities is to	timely
       apply these updates when	available, as early as possible	 in  the  boot
       process,	and to disable the affected hardware's problematic functional-
       ities when possible (e.g., CPU Simultaneous Multi-Threading).  Software
       mitigations  are	 only  partial	substitutes for	these, but they	can be
       helpful on out-of-support hardware or as	complements  for  just-discov-
       ered vulnerabilities not	yet addressed by vendors.  Some	software miti-
       gations depend on hardware capabilities provided	by a microcode update.

   Architectural Vulnerability Mitigations
       FreeBSD's  usual	policy is to apply by default all OS-level mitigations
       that do not require recompilation, except those the particular hardware
       it is running on	is known not to	 be  vulnerable	 to  (which  sometimes
       requires	 firmware updates), or those that are extremely	detrimental to
       performance in proportion to the	protection they	actually provide.  OS-
       level mitigations generally can have noticeable performance impacts  on
       specific	 workloads.   If  your threat model allows it, you may want to
       try disabling some of them in order to possibly get better performance.
       Conversely, minimizing the risks	may require you	to  explicitly	enable
       the most	expensive ones.	 The description of each vulnerability/mitiga-
       tion  indicates	whether	it is enabled or disabled by default and under
       which conditions.  It also lists	the knobs to tweak to force a particu-
       lar status.

   Zenbleed
       The "Zenbleed" vulnerability exclusively	affects	AMD  processors	 based
       on  the	Zen2  microarchitecture.  In contrast with, e.g., Meltdown and
       the different variants of Spectre, which	leak data by leaving  microar-
       chitectural  traces,  Zenbleed  is a genuine hardware bug affecting the
       CPU's architectural state.  With	particular sequences  of  instructions
       whose last ones are mispredicted	by speculative execution, it is	possi-
       ble  to	make appear in an XMM register data previously put in some XMM
       register	by some	preceding or concurrent	task  executing	 on  the  same
       physical	 core (disabling Simultaneous Muti-Threading (SMT) is thus not
       a sufficient protection).

       According to the	vulnerability's	discoverer, all	Zen2-based  processors
       are affected (see https://lock.cmpxchg8b.com/zenbleed.html).  As	of Au-
       gust 2023, AMD has not publicly listed any corresponding	errata but has
       issued	a  security  bulletin  (AMD-SB-7008)  entitled	"Cross-Process
       Information Leak" indicating that platform firmware fixing the vulnera-
       bility will be distributed to manufacturers no sooner than the  end  of
       2023, except for	Rome processors	for which it is	already	available.  No
       standalone  CPU	microcodes have	been announced so far.	The only read-
       ily-applicable fix mentioned by the discoverer is to set	a  bit	of  an
       undocumented MSR, which reportedly completely stops XMM register	leaks.

       FreeBSD	currently sets this bit	by default on all Zen2 processors.  In
       the future, it might set	it by default only on  those  Zen2  processors
       whose  microcode	 has not been updated to revisions fixing the vulnera-
       bility, once such microcode updates have	 been  actually	 released  and
       community-tested.   To  this  mitigation	 are  associated the following
       knobs:

       machdep.mitigations.zenbleed.enable
	       A read-write integer tunable and	sysctl indicating whether  the
	       mitigation  should  be forcibly disabled	(0), enabled (1) or if
	       it is left to FreeBSD to	selectively apply it (2).   Any	 other
	       integer	value is silently converted to and treated as value 2.
	       Note that this setting is silently ignored when running on non-
	       Zen2 processors to ease applying	a common configuration to het-
	       erogeneous machines.

       machdep.mitigations.zenbleed.state
	       A read-only string indicating the current mitigation state.  It
	       can be  either  "Not  applicable",  if  the  processor  is  not
	       Zen2-based,  "Mitigation	 enabled"  or  "Mitigation  disabled".
	       This state  is  automatically  updated  each  time  the	sysctl
	       machdep.mitigations.zenbleed.enable  is	written	to.  Note that
	       it can become inaccurate	if the chicken bit is set  or  cleared
	       directly	  via  cpuctl(4)  (which  includes  the	 cpucontrol(8)
	       utility).

       The performance impact and threat models	related	to  these  mitigations
       should  be  considered when configuring and deploying them in a FreeBSD
       system.

       Additional mitigation knobs are listed in the "KNOBS AND	 TWEAKS"  sec-
       tion of security(7).

SEE ALSO
       elfctl(1),     proccontrol(1),	  rtld(1),    mmap(2),	  src.conf(5),
       sysctl.conf(5), security(7), cpucontrol(8), sysctl(8)

FreeBSD	14.3			 June 1, 2024			MITIGATIONS(7)

---

NAME | SYNOPSIS | DESCRIPTION | SOFTWARE VULNERABILITY MITIGATIONS | HARDWARE VULNERABILITY MITIGATIONS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=mitigations&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact