FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pciurea
Staff
Staff

Description
This article describes how to check Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) status on the FortiGate.

Solution
FortiOS has this features enabled on most of the devices (except low end units).
FortiOS fulfills this requirements starting from 5.4.0 (ASLR) and 5.4.1 (DEP)).

Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) can be checked with the following in the CLI:

[ASLR]
# fnsysctl cat /proc/sys/kernel/randomize_va_space
2
(2 random all, 0 disable aslr, 1 partially random)
[DEP]

Two types of DEP are used - hardware-enforced and software-emulated for units with INTEL processors, software-emulated for System On a Chip (SOC) units.
DEP hardware-enforced - (INTEL Cores have NX flag, for VM the value is inherited from the physical server CPU) can be checked with:

# fnsysctl cat /proc/cpuinfo
flags : ... nx ...

DEP software-emulated - check x (execute) in the stack line for each PID associated with running processes (no X in stack means no execution rights - Stack protection ok)
Get pid for running processes with:

fnsysctl ps

PID UID GID STATE CMD
1 0 0 S /bin/initXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2 0 0 S [kthreadd]
3 0 0 S [ksoftirqd/0]
4 0 0 S [kworker/0:0]
6 0 0 S [migration/0]
7 0 0 S [migration/1]
9 0 0 S [ksoftirqd/1]
10 0 0 S [migration/2]
11 0 0 S [kworker/2:0]

Replace <pid> in the following command with the associated PID value column from the output above - ensure no x bit set in the [stack] line.

# fnsysctl cat /proc/<pid>/maps

Ex: fnsysctl cat /proc/1/maps

7fff8d6c8000-7fff8d6e9000 rw-p 00000000 00:00 0 [stack]



Related linux kernel support for DEP and ASLR.
https://docs.oracle.com/html/E36387_03/ol_kernel_sec.html

Contributors