Security Features
Fedora is the thought and action leader in many cutting-edge Linux security initiatives. The following security features were developed by Fedora engineers. In line with the Fedora policy, these security features have been pushed upstream and they are available to all Linux distributions who choose to take advantage of them.
SELinux
Fedora is the first mainstream operating system to provide MAC (Mandatory Access Control) based security using SELinux enabled by default. SELinux was developed in partnership with the NSA (National Security Agency) - A US based goverment security organisation and Red Hat with developers from projects such as Gentoo and Debian. Security Enhanced Linux protects users and processes by watching all actions on the system, from opening a file to using a socket. Users may write their own SELinux security policies according to their risk tolerance. By default, Fedora runs a targeted security policy that protects network daemons that have a higher chance of being attacked. If compromised, these programs are extremely limited in the damage they can do, even if the root account is cracked.
For example, Apache is protected in four different ways. The executable for Apache, httpd, is protected at compile time by PIE and Exec-Shield. The executable binary file on the system is protected by ELF hardening. Finally, SELinux policies are in place so that if httpd is cracked, it can only append to the Apache logs and mangle content in specific directories; it cannot roam around home directories or otherwise interact with the rest of the system.
References:
Exec-Shield
No eXecute (NX)
Modern processors support a feature called NX which allows a system to control the execution of various portions of memory. Data memory is flagged as non-executable and program memory is flagged as non-writeable. This help prevent certain types of buffer overflow exploits from working as expected.
Since not all processors support the NX feature, attemptes have been made to support this feature via segment limits. A segment limit will prevent certain portions of memory from being executed. This provides very similar functionality to NX technology.
Position Independent Executables (PIE)
PIE is an Exec-Shield technology that allows a programmer to make the executable load at a different memory address each time it starts. Attackers cannot predict where the application will start, making it very hard to exploit. Not all packages are compiled as PIE executables in Fedora Core. Using PIE causes a fair amount of processing overhead, so only select packages are compiled as PIE executables.
Applications that are not compiled as PIE, still have a small amount of added protection. The usage of prelink does place binaries and libraries at known locations. Fedora Core contains a feature which runs prelink every two weeks at which time the memory locations of binaries and libraries is randomized. Applications that are compiled as PIE do not use prelink, all memory addresses are randomized with each execution.
Compile Time Buffer Checks (FORTIFY_SOURCE)
GCC compiler and GLIBC C library from Fedora Core 4 onwards has gained a feature called "FORTIFY_SOURCE" that will detect and prevent a subset of the buffer overflows before they can do damage. The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it's a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.
References:
![[WWW]](https://cdn.statically.io/img/web.archive.org/web/20070107153447im_/http://fedoraproject.org/wikidata/kindofblue/img/moin-www.png){kind=small}
http://www.redhat.com/magazine/009jul05/features/execshield/
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
ELF (Executable and Linkable Format) Data Hardening
These are changes to the file components that protect the structure of the file itself.
References:
http://people.redhat.com/drepper/nonselsec.pdf
Restricted Kernel Memory access
Fedora restricts how the kernel memory (/dev/mem) can be overwritten. This prevents several rootkits from functioning resulting in a safer and more secure system.
References:
http://lwn.net/Articles/160380/
Stack Smash Protection, Buffer Overflow Detection and Variable Reordering
For this release, all of the software in the Fedora Core and Fedora Extras software repositories is compiled using a security feature called fstack-protector. fstack-protector puts a canary value on the stack of key functions. Just before the return address and just before returning from that value, that canary value is verified. If there was a buffer overflow, the canary no longer matches and the program aborts. The canary value is random for each time the application is started and makes it impossible to guess remotely. This is a security feature that has been backported from GCC 4.1 to the version of the GCC compiler used in Fedora Core 5 test1. This feature [
http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html) has been written by Red Hat developers and provides similar functionality to the IBM propolice/ssp patches. This is in addition to using FORTIFY_SOURCE from Fedora Core 4 onwards.
References:
http://gcc.gnu.org/gcc-4.1/changes.html