PaX Segvguard monitors the number of segmentation faults in a program on a per-user basis, in an attempt to detect on-going exploitation attempts and possibly prevent them. For instance,
PaX Segvguard can help detect when an attacker tries to brute-force a function return address, when attempting to perform a return-to-lib attack.
PaX Segvguard consumes kernel memory, so use it wisely. While it provides rate-limiting protections, records are tracked for all users on a per-program basis, meaning that irresponsible use may result in tracking all segmentation faults in the system, possibly consuming all kernel memory.
For this reason, it is highly recommended to have
PaX Segvguard enabled explicitly only for network services or other processes deemed as critical to system security. Enabling
PaX Segvguard explicitly works like this:
# paxctl +G /usr/sbin/sshd
However, a global knob is still provided, for use in strict environments with no local users (for example, some network appliances, embedded devices, and firewalls)
# sysctl -w security.pax.segvguard.global=1
Explicitly disabling
PaX Segvguard is also possible:
In addition,
PaX Segvguard provides several tunable options. For example, to limit a program to 5 segmentation faults from the same user in a 60 second timeframe:
# sysctl -w security.pax.segvguard.max_crashes=5
# sysctl -w security.pax.segvguard.expiry_timeout=60
The number of seconds a user will be suspended from running the culprit program is also configurable. For example, 10 minutes seem like a sane setting:
# sysctl -w security.pax.segvguard.suspend_timeout=600