Features

Differences between revisions 9 and 22 (spanning 13 versions)
Revision 9 as of 2009-07-24 21:56:08
Size: 17575
Editor: c-76-105-212-198
Comment: and link back to AA profiles
Revision 22 as of 2009-09-29 19:44:27
Size: 19347
Editor: c-76-105-168-175
Comment: try to explain RELRO a little better
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
|| '''feature''' || '''6.06 LTS''' || '''8.04 LTS''' || '''8.10''' || '''9.04''' || '''9.10''' ||
|| No Open Ports ||<#00dd00> policy ||<#00dd00> policy ||<#00dd00> policy ||<#00dd00> policy ||<#00dd00> policy ||
|| Password hashing ||<#00dd00> md5 ||<#00dd00> md5 ||<#00dd00> sha512 ||<#00dd00> sha512 ||<#00dd00> sha512 ||
|| App``Armor ||<#dddddd> -- ||<#00dd00> 2.1+svn1075 ||<#00dd00> 2.3 ||<#00dd00> 2.3 ||<#00dd00> 2.3.1 ||
|| SELinux ||<#dddddd> -- ||<#98fd98> 2.0.55 (universe) ||<#98fd98> universe ||<#98fd98> universe ||<#98fd98> universe ||
|| SMACK ||<#dddddd> -- ||<#dddddd> -- ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| FS capabilities ||<#dddddd> -- ||<#dddddd> -- ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| Configurable Firewall ||<#98fd98> iptables ||<#00dd00> ufw ||<#00dd00> ufw ||<#00dd00> ufw ||<#00dd00> ufw ||
|| Encrypted LVM ||<#98fd98> alt installer ||<#98fd98> alt installer ||<#98fd98> alt installer ||<#98fd98> alt installer ||<#98fd98> installer ||
|| eCryptfs ||<#dddddd> -- ||<#dddddd> -- ||<#98fd98> ~/Private ||<#98fd98> ~/Private or ~, filenames ||<#98fd98> ~/Private or ~, filenames ||
|| Stack Protector ||<#dddddd> -- ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Heap Protector ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||
|| libc pointer obfuscation ||<#dddddd> -- ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||
|| stack ASLR ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| mmap/libs ASLR ||<#00dd00> kernel (i386 only) ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| exec ASLR ||<#dddddd> -- ||<#00dd00> kernel (-mm patch) ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| brk ASLR ||<#dddddd> -- ||<#00dd00> kernel (exec ASLR) ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| vdso ASLR ||<#dddddd> -- ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| Built as PIE ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> package list ||<#00dd00> package list ||<#00dd00> package list ||
|| Built w/ Fortify Source ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Built w/ relro ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Built w/ BIND_NOW ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> package list ||
|| Non-Exec Memory ||<#00dd00> PAE only ||<#00dd00> PAE only ||<#00dd00> PAE only ||<#00dd00> PAE only ||<#00dd00> PAE, ia32 partial-NX-emulation ||
|| /proc/$pid/maps protection ||<#dddddd> -- ||<#00dd00> kernel & sysctl ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| 0-address protection ||<#dddddd> -- ||<#00dd00> kernel & sysctl ||<#00dd00> kernel & sysctl ||<#00dd00> kernel ||<#00dd00> kernel ||
|| /dev/mem protection ||<#00dd00> kernel ||<#00dd00> kernel (-mm patch) ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| /dev/kmem disabled ||<#dddddd> -- ||<#00dd00> kernel (-mm patch) ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| PR_SET_SECCOMP ||<#dddddd> -- ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| SYN cookies ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||<#00dd00> kernel & sysctl ||<#00dd00> kernel & sysctl||
|| CONFIG_DEBUG_RODATA ||<#dddddd> -- ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| CONFIG_CC_STACKPROTECTOR ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> kernel ||

|| '''feature''' || '''6.06 LTS'''   || '''8.04 LTS'''   || '''8.10''' || '''9.04''' || '''9.10''' ||
|| No Open Ports ||<#00dd00> policy   ||<#00dd00> policy   ||<#00dd00> policy ||<#00dd00> policy ||<#00dd00> policy ||
|| Password hashing ||<#00dd00> md5   ||<#00dd00> md5   ||<#00dd00> sha512 ||<#00dd00> sha512 ||<#00dd00> sha512 ||
|| App``Armor ||<#dddddd> --   ||<#00dd00> 2.1+svn1075   ||<#00dd00> 2.3 ||<#00dd00> 2.3 ||<#00dd00> 2.3.1 ||
|| SELinux ||<#dddddd> --   ||<#98fd98> 2.0.55 (universe)   ||<#98fd98> universe ||<#98fd98> universe ||<#98fd98> universe ||
|| SMACK ||<#dddddd> --   ||<#dddddd> -- ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| FS capabilities ||<#dddddd> --   ||<#dddddd> -- ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| Configurable Firewall ||<#98fd98> iptables   ||<#00dd00> ufw   ||<#00dd00> ufw ||<#00dd00> ufw ||<#00dd00> ufw ||
|| Encrypted LVM ||<#98fd98> alt installer   ||<#98fd98> alt installer   ||<#98fd98> alt installer ||<#98fd98> alt installer ||<#98fd98> installer ||
|| eCryptfs ||<#dddddd> --   ||<#dddddd> -- ||<#98fd98> ~/Private ||<#98fd98> ~/Private or ~, filenames ||<#98fd98> ~/Private or ~, filenames ||
|| Stack Protector ||<#dddddd> --   ||<#00dd00> gcc patch   ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Heap Protector ||<#00dd00> glibc   ||<#00dd00> glibc   ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||
|| libc pointer obfuscation ||<#dddddd> --   ||<#00dd00> glibc   ||<#00dd00> glibc ||<#00dd00> glibc ||<#00dd00> glibc ||
|| stack ASLR ||<#00dd00> kernel   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| mmap/libs ASLR ||<#00dd00> kernel (i386 only)   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| exec ASLR ||<#dddddd> --   ||<#00dd00> kernel (-mm patch)   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| brk ASLR ||<#dddddd> --   ||<#98fd98> kernel (exec ASLR)   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| vdso ASLR ||<#dddddd> --   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| Built as PIE ||<#dddddd> --   ||<#dddddd> -- ||<#00dd00> package list ||<#00dd00> package list ||<#00dd00> package list ||
|| Built w/ Fortify Source ||<#dddddd> --   ||<#dddddd> -- ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Built w/ relro ||<#dddddd> --   ||<#dddddd> -- ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||<#00dd00> gcc patch ||
|| Built w/ BIND_NOW ||<#dddddd> --   ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> package list ||
|| Non-Exec Memory ||<#00dd00> PAE only   ||<#00dd00> PAE only   ||<#00dd00> PAE only ||<#00dd00> PAE only ||<#00dd00> PAE, ia32 partial-NX-emulation ||
|| /proc/$pid/maps protection ||<#dddddd> --   ||<#00dd00> kernel & sysctl   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| 0-address protection ||<#dddddd> --   ||<#00dd00> kernel & sysctl   ||<#00dd00> kernel & sysctl ||<#00dd00> kernel ||<#00dd00> kernel ||
|| /dev/mem protection ||<#00dd00> kernel   ||<#00dd00> kernel (-mm patch)   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| /dev/kmem disabled ||<#dddddd> --   ||<#00dd00> kernel (-mm patch)   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| Block module loading ||<#98fd98> drop CAP_SYS_MODULES ||<#98fd98> drop CAP_SYS_MODULES ||<#dddddd> -- ||<#dddddd> -- ||<#98fd98> sysct
l ||
|| PR_SET_SECCOMP ||<#dddddd> --   ||<#98fd98> kernel   ||<#98fd98> kernel ||<#98fd98> kernel ||<#98fd98> kernel ||
|| SYN cookies ||<#98fd98> kernel   ||<#98fd98> kernel   ||<#98fd98> kernel ||<#00dd00> kernel & sysctl ||<#00dd00> kernel & sysctl||
|| CONFIG_DEBUG_RODATA ||<#dddddd> --   ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||<#00dd00> kernel ||
|| CONFIG_CC_STACKPROTECTOR ||<#dddddd> --   ||<#dddddd> -- ||<#dddddd> -- ||<#dddddd> -- ||<#00dd00> kernel ||
Line 43: Line 42:
By policy, default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule include network infrastructure services such as DHCP and Avahi. When installing Ubuntu Server, the administrator can, of course, select specific services to install beyond the defaults (e.g. Apache). <<Include(SecurityTeam/Policies, , from="== No Open Ports ==", to="==")>>
Line 52: Line 51:
[[https://help.ubuntu.com/community/AppArmor|AppArmor]] is a path-based MAC. Examples profiles are found in the apparmor-profiles package from universe, and by-default shipped [[SecurityTeam/KnowledgeBase/AppArmorProfiles|enforcing profiles]] are being built up: [[https://help.ubuntu.com/community/AppArmor|AppArmor]] is a path-based MAC. Example profiles are found in the apparmor-profiles package from universe, and by-default shipped [[SecurityTeam/KnowledgeBase/AppArmorProfiles|enforcing profiles]] are being built up:
Line 54: Line 53:
<<Include(SecurityTeam/KnowledgeBase/AppArmorProfiles, , from="=== Enforcing Profiles in Main ===", to="===")>> <<Include(SecurityTeam/KnowledgeBase/AppArmorProfiles, , from="=== Supported profiles in main ===", to="===")>>
Line 84: Line 83:
=== stack ASLR === === ASLR ===
Address Space Layout Randomisation (ASLR) is implemented by the kernel and the ELF loader by randomising the location of memory allocations (stack, heap, shared libraries, etc). This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit.

==== stack ASLR ====
Line 87: Line 89:
=== mmap ASLR === ==== mmap ASLR ====
Line 90: Line 92:
=== exec ASLR === ==== exec ASLR ====
Line 93: Line 95:
=== brk ASLR === ==== brk ASLR ====
Line 96: Line 98:
=== vdso ASLR === ==== vdso ASLR ====
Line 103: Line 105:
All programs built with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a [[SecurityTeam/KnowledgeBase/BuiltPIE|select number of security-critical packages]] (some upstreams natively support building with PIE, other require the use of "hardening-wrapper" to force on the correct compiler and linker flags). PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required. All programs built as Position Independent Executables (PIE) with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a [[SecurityTeam/KnowledgeBase/BuiltPIE|select number of security-critical packages]] (some upstreams natively support building with PIE, other require the use of "hardening-wrapper" to force on the correct compiler and linker flags). PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required.
Line 105: Line 107:
<<Include(SecurityTeam/KnowledgeBase/BuiltPIE, , from="== Built as Position Independent Executables ==", to="---")>> <<Include(SecurityTeam/KnowledgeBase/BuiltPIE, , from="=== Supported Position Independent Executables in main ===", to="===")>>
Line 114: Line 116:
=== relro ===
Hardens ELF programs against loader memory area overwrites. This reduces the area of possible GOT-overwrite-style memory corruption attacks.
=== RELRO ===
Hardens ELF programs against loader memory area overwrites by having the loader mark any areas of the relocation table as read-only for any symbols resolved at load-time. This reduces the area of possible GOT-overwrite-style memory corruption attacks.
Line 121: Line 123:
Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc), but requires that the kernel use "PAE" addressing. This is the default for 64bit and on the ia32 -server kernels. This protection reduces the areas an attacker can use to perform arbitrary code execution. The protection is partially emulated on ia32 without PAE starting in Ubuntu 9.10. Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc), but requires that the kernel use "PAE" addressing. This is known either as Non-eXecute (NX) or eXecute-Disable (XD). This is the default for 64bit and on the ia32 {{{-server}}} and {{{-generic-pae}}} kernels. This protection reduces the areas an attacker can use to perform arbitrary code execution. The protection is partially emulated on ia32 without PAE starting in Ubuntu 9.10.  After booting, you can see what NX protection is in effect:
 * Hardware-based (via PAE mode): {{{
[ 0.000000] NX (Execute Disable) protection: active}}}
 * Partial Emulation (via segment limits): {{{
[ 0.000000] Using x86 segment limits to approximate NX protection}}}
If neither are seen, you do not have any NX protections enabled (check your BIOS settings and CPU capabilities).
Line 134: Line 141:

=== Block module loading ===
In Ubuntu 8.04 and earlier, it was possible to [[http://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-proactive|remove CAP_SYS_MODULES from the system-wide capability bounding set]], which would stop any new kernel modules from being loaded. This was another layer of protection to stop kernel rootkits from being installed. The 2.6.25 Linux kernel (Ubuntu 8.10) changed how bounding sets worked, and this functionality disappeared. Starting with Ubuntu 9.10, it is now [[http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3d43321b7015387cfebbe26436d0e9d299162ea1|possible to block module loading]] again by setting "1" in {{{/proc/sys/kernel/modules_disabled}}}.

Feature Matrix

By Default

Available

Unimplemented

feature

6.06 LTS

8.04 LTS

8.10

9.04

9.10

No Open Ports

policy

policy

policy

policy

policy

Password hashing

md5

md5

sha512

sha512

sha512

AppArmor

--

2.1+svn1075

2.3

2.3

2.3.1

SELinux

--

2.0.55 (universe)

universe

universe

universe

SMACK

--

--

kernel

kernel

kernel

FS capabilities

--

--

kernel

kernel

kernel

Configurable Firewall

iptables

ufw

ufw

ufw

ufw

Encrypted LVM

alt installer

alt installer

alt installer

alt installer

installer

eCryptfs

--

--

~/Private

~/Private or ~, filenames

~/Private or ~, filenames

Stack Protector

--

gcc patch

gcc patch

gcc patch

gcc patch

Heap Protector

glibc

glibc

glibc

glibc

glibc

libc pointer obfuscation

--

glibc

glibc

glibc

glibc

stack ASLR

kernel

kernel

kernel

kernel

kernel

mmap/libs ASLR

kernel (i386 only)

kernel

kernel

kernel

kernel

exec ASLR

--

kernel (-mm patch)

kernel

kernel

kernel

brk ASLR

--

kernel (exec ASLR)

kernel

kernel

kernel

vdso ASLR

--

kernel

kernel

kernel

kernel

Built as PIE

--

--

package list

package list

package list

Built w/ Fortify Source

--

--

gcc patch

gcc patch

gcc patch

Built w/ relro

--

--

gcc patch

gcc patch

gcc patch

Built w/ BIND_NOW

--

--

--

--

package list

Non-Exec Memory

PAE only

PAE only

PAE only

PAE only

PAE, ia32 partial-NX-emulation

/proc/$pid/maps protection

--

kernel & sysctl

kernel

kernel

kernel

0-address protection

--

kernel & sysctl

kernel & sysctl

kernel

kernel

/dev/mem protection

kernel

kernel (-mm patch)

kernel

kernel

kernel

/dev/kmem disabled

--

kernel (-mm patch)

kernel

kernel

kernel

Block module loading

drop CAP_SYS_MODULES

drop CAP_SYS_MODULES

--

--

sysctl

PR_SET_SECCOMP

--

kernel

kernel

kernel

kernel

SYN cookies

kernel

kernel

kernel

kernel & sysctl

kernel & sysctl

CONFIG_DEBUG_RODATA

--

kernel

kernel

kernel

kernel

CONFIG_CC_STACKPROTECTOR

--

--

--

--

kernel

No Open Ports

Default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule on desktop systems include network infrastructure services such as a DHCP client and mDNS (Avahi/ZeroConf, see ZeroConfPolicySpec for implementation details and justification). For Ubuntu in the cloud, exceptions include network infrastructure services for the cloud and OpenSSH running with client public key and port access configured by the cloud provider. When installing Ubuntu Server, the administrator can, of course, select specific services to install beyond the defaults (e.g. Apache).

Password hashing

The system password used for logging into Ubuntu is stored in /etc/shadow. Very old style password hashes were 3DES and visible in /etc/passwd. Modern Linux has long since moved to /etc/shadow, and for some time now has used salted MD5 hashes for password verification. Since MD5 is considered "broken", Ubuntu has moved to using salted SHA512 password hashes, which are several orders of magnitude more difficult to brute-force or generate rainbow tables.

Mandatory Access Control (MAC)

Mandatory Access Controls are handled via the kernel LSM hooks.

AppArmor

AppArmor is a path-based MAC. Example profiles are found in the apparmor-profiles package from universe, and by-default shipped enforcing profiles are being built up:

Source package/binary

12.04 LTS

14.04 LTS

16.04 LTS

18.04 LTS

20.04 LTS

20.10

Akonadi (mysqld)

yes

yes

yes

yes

yes

yes

Apache (apache2)

yes1

yes1

yes1

yes1

yes

yes

Bind (named)

yes

yes

yes

yes

yes

yes

ClamAV (clamd,freshclam)

yes

yes

yes

yes

yes

yes

Cups (cupsd)

yes

yes

yes

yes

yes

yes

Evince

yes

yes

yes

yes

yes

yes

Firefox (firefox-3.5/firefox)

yes1

yes1

yes1

yes1

yes

yes

gdm-guest-session

N/A

N/A

yes

yes

yes

yes

ISC Dhcpd (dhcpd3/dhcpd)

yes

yes

yes

yes

yes

yes

ISC Dhcp client (dhclient3/dhclient)

yes

yes

yes

yes

yes

yes

juju

yes2

yes2

yes2

yes2

yes

yes

Libvirt (libvirtd and kvm/qemu guests)

yes

yes

yes

yes

yes

yes

Lightdm guest session

yes

yes

yes

--

--

--

LXC

yes3

yes3

yes3

yes3

yes

yes

MAAS dhcpd (dhcpd)

yes

yes

yes

yes

--

--

MySQL (mysqld)

yes

yes

yes

yes

yes

yes

NTP (ntpd)

yes

yes

yes

--

--

--

OpenLDAP (slapd)

yes

yes

yes

yes

yes

yes

quassel-core

yes

yes

yes

yes

yes

yes

rsyslog

yes1

yes1

yes1

yes1

yes

yes

tcpdump

yes

yes

yes

yes

yes

yes

Telepathy

yes

yes

yes

--

--

--

AppStore apps (click)4

--

yes

yes

--

--

--

Cups filters (cups-browsed)

--

yes

yes

yes

yes

yes

lightdm-remote-session-freerdp

--

yes

yes

--

--

--

lightdm-remote-session-uccsconfigure

--

yes

yes

--

--

--

media-hub

--

yes

yes

--

--

--

mediascanner2

--

yes

yes

--

--

--

squid3

--

yes1

yes1

yes1

yes

yes

sssd

--

yes1

yes1

yes1

yes

yes

StrongSwan (stroke/lookip)

--

yes

yes

yes

yes

yes

Telepathy (ofono)

--

yes

yes

yes

yes

yes

AppStore apps (snappy)5

--

--

yes

yes

yes

yes

libvirt (libvirt-lxc containers)

--

--

yes

yes

yes

yes

LXD

--

--

yes

yes

yes

yes

snap-confine (aka ubuntu-core-launcher)

--

--

yes

yes

yes

yes

ubuntu-download-manager (extractor)

--

--

yes

--

--

--

webbrowser-app

--

--

yes

--

--

--

chrony

--

--

--

yes

yes

yes

ippusbxd

--

--

--

yes

yes

yes

libreoffice6

--

--

--

yes

yes

yes

man-db

--

--

--

yes

yes

yes

mozc

--

--

--

yes

yes

yes

anope

--

--

--

--

--

yes

  1. Disabled by default and be opt-in for advanced users
  2. https://juju.ubuntu.com/AppArmor

  3. Preliminary support
  4. Ubuntu Touch apps in the Ubuntu AppStore are confined with AppArmor by default. See ApplicationConfinement for details

  5. Apps in the Ubuntu AppStore are confined with AppArmor by default. See the security guide for details

  6. Mixture of enforce and complain mode profiles

SELinux

SELinux is an inode-based MAC. Targetted policies are available for Ubuntu in universe. Installing the "selinux" package will make the boot-time adjustments that are needed.

FS Capabilities

The need for setuid applications can be reduced via the application of filesystem capabilities using the xattrs available to most modern filesystems. This reduces the possible misuse of vulnerable setuid applications. The kernel provides the support, and the user-space tools are in main ("libcap2-bin").

Configurable Firewall

ufw is a frontend for iptables, and is installed by default in Ubuntu (users must explicitly enable it). Particularly well-suited for host-based firewalls, ufw provides a framework for managing a netfilter firewall, as well as a command-line interface for manipulating the firewall. ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends.

Filesystem encryption

Encrypted LVM

Users of the alternate installer can choose to install Ubuntu onto an encrypted LVM, which allows all partitions in the logical volume, including swap, to be encrypted.

eCryptfs

Encrypted Private Directories were implemented in Ubuntu 8.10 as a secure location for users to store sensitive information. The server and alternate installers had the option to setup an encrypted private directory for the first user. As of Ubuntu 9.04, support for encrypted home was added, allowing users to encrypt all files in their home directory. Encrypted Home is supported in the Alternate Installer, and available in the Desktop Installer via the preseed option user-setup/encrypt-home=true. Also, the Ubuntu 9.04 kernel carries a patchset for eCryptfs to support encrypted filenames.

Hardening

Many compile-time features are available through the default compiler flags in Ubuntu.

Stack Protector

gcc's -fstack-protector provides a randomized stack canary that protects against stack overflows, and reduces the chances of arbitrary code execution via controlling return address destinations. Enabled at compile-time. (A small number of applications do not play well with it, and have it disabled.) The routines used for stack checking are actually part of glibc, but gcc is patched to enable linking against those routines by default.

Heap Protector

The heap protector provides double-free/overflow protections to the glibc heap memory manager (first introduced in glibc 2.3.4). This stops the ability to perform arbitrary code execution via heap memory overflows that try to impact the malloc linked lists.

libc pointer encryption

Some pointers stored in glibc are obfuscated via PTR_MANGLE/PTR_UNMANGLE macros internally in glibc, preventing libc function pointers from being overwritten during runtime.

ASLR

Address Space Layout Randomisation (ASLR) is implemented by the kernel and the ELF loader by randomising the location of memory allocations (stack, heap, shared libraries, etc). This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit.

stack ASLR

Each execution of a program results in a different stack memory space layout. This makes it harder to locate in memory where to attack or deliver an executable attack payload. This was available in the mainline kernel since 2.6.15 (Ubuntu 6.06).

mmap ASLR

Each execution of a program results in a different mmap memory space layout (which causes the dynamically loaded libraries to get loaded into different locations each time). This makes it harder to locate in memory where to jump to for "return to libc" to similar attacks. This was available in the mainline kernel since 2.6.15 (Ubuntu 6.06).

exec ASLR

Each execution of a program that has been built with "-fPIE -pie" will get loaded into a different memory location. This makes it harder to locate in memory where to attack or jump to when performing memory-corruption-based attacks. This was available in the mainline kernel since 2.6.25 (and was backported to Ubuntu 8.04).

brk ASLR

Similar to exec ASLR, brk ASLR adjusts the memory locations relative between the exec memory area and the brk memory area (for small mallocs). The randomization of brk offset from exec memory was added in 2.6.26, though some of the effects of brk ASLR can be seen in Ubuntu 8.04 since exec was ASLR, and brk is allocated immediately after the exec region (so it was technically randomized, but not randomized with respect to the text region until 8.10).

vdso ASLR

Each execution of a program results in a random vdso location. While this has existed in the mainline kernel since 2.6.18 (x86, PPC) and 2.6.22 (x86_64), it hadn't been enabled in Ubuntu 6.06 due to COMPAT_VDSO being enable, which was disabled in Ubuntu 8.04. This protects against jump-into-syscall attacks. Only x86 (maybe ppc?) is supported by glibc 2.6. glibc 2.7 (Ubuntu 8.04) supports x86_64 ASLR vdso. People needing ancient pre-libc6 static high vdso mappings can use "vdso=2" on the kernel boot command line to gain COMPAT_VDSO again.

PIE

All programs built as Position Independent Executables (PIE) with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a select number of security-critical packages (some upstreams natively support building with PIE, other require the use of "hardening-wrapper" to force on the correct compiler and linker flags). PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required.

Source package

8.04 LTS

9.04

9.10

10.04 LTS

10.10

11.04

11.10

openssh (native)

yes

yes

yes

yes

yes

yes

yes

apache2

--

yes

yes

yes

yes

yes

yes

bind9

--

yes

yes

yes

yes

yes

yes

openldap

--

yes

yes

yes

yes

yes

yes

postfix

--

yes

yes

yes

yes

yes

yes

cups

--

yes

yes

yes

yes

yes

yes

postgresql-8.3

--

yes

yes

yes

yes

yes

yes

samba (native)

--

yes

yes

yes

yes

yes

yes

dovecot

--

yes

yes

yes

yes

yes

yes

dhcp3

--

yes

yes

yes

yes

yes

yes

ntp

--

--

yes

yes

yes

yes

yes

amavisd-new

--

--

yes

yes

yes

yes

yes

squid

--

--

yes

yes

yes

yes

yes

cyrus-sasl2

--

--

yes

yes

yes

yes

yes

exim4

--

--

yes

yes

yes

yes

yes

nagios3

--

--

yes

yes

yes

yes

yes

nagios-plugins

--

--

yes

yes

yes

yes

yes

xinetd

--

--

yes

yes

yes

yes

yes

ipsec-tools

--

--

yes

yes

yes

yes

yes

mysql-dfsg-5.1

--

--

yes

yes

yes

yes

yes

evince

--

--

--

yes

yes

yes

yes

firefox

--

--

--

yes

yes

yes

yes

gnome-control-center

--

--

--

--

--

yes

yes

tiff

--

--

--

--

--

yes

yes

totem

--

--

--

--

--

yes

yes

qemu-kvm

--

--

--

--

--

--

yes

pidgin

--

--

--

--

--

--

yes

Fortify Source

Programs built with "-D_FORTIFY_SOURCE=2" (and -O2 or higher), enable several compile-time and run-time protections in glibc:

  • expand unbounded calls to "sprintf", "strcpy" into their "n" length-limited cousins when the size of a destination buffer is known (protects against memory overflows)
  • stop format string "%n" attacks when the format string is in a writeable memory segment
  • require checking various important function return codes and arguments (e.g. system, write, open).
  • require explicit file mask when creating new files.

RELRO

Hardens ELF programs against loader memory area overwrites by having the loader mark any areas of the relocation table as read-only for any symbols resolved at load-time. This reduces the area of possible GOT-overwrite-style memory corruption attacks.

BIND_NOW

Marks ELF programs to resolve all dynamic symbols at start-up (instead of on-demand) so that the GOT can be made entirely read-only (when combined with relro above).

Non-Exec Memory

Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc), but requires that the kernel use "PAE" addressing. This is known either as Non-eXecute (NX) or eXecute-Disable (XD). This is the default for 64bit and on the ia32 -server and -generic-pae kernels. This protection reduces the areas an attacker can use to perform arbitrary code execution. The protection is partially emulated on ia32 without PAE starting in Ubuntu 9.10. After booting, you can see what NX protection is in effect:

  • Hardware-based (via PAE mode):

    [    0.000000] NX (Execute Disable) protection: active
  • Partial Emulation (via segment limits):

    [    0.000000] Using x86 segment limits to approximate NX protection

If neither are seen, you do not have any NX protections enabled (check your BIOS settings and CPU capabilities).

/proc/$pid/maps protection

With ASLR, a process's memory space layout suddenly becomes valuable to attackers. The "maps" file is made read-only except to the process itself or the owner of the process. Went into mainline kernel with sysctl toggle in 2.6.22. The toggle was made non-optional in 2.6.27, forcing the privacy to be enabled regardless of sysctl settings (this is a good thing).

0-address protection

Since the kernel and userspace share virtual memory addresses, the "NULL" memory space needs to be protected so that userspace mmap'd memory cannot start at address 0, stopping "NULL dereference" kernel attacks. This is possible with 2.6.22 kernels, and was implemented with the "mmap_min_addr" sysctl setting. Since Ubuntu 9.04, the mmap_min_addr setting is built into the kernel. (64k for x86, 32k for ARM.)

/dev/mem protection

Some applications (Xorg) need direct access to the physical memory from user-space. The special file /dev/mem exists to provide this access. In the past, it was possible to view and change kernel memory from this file if an attacker had root access. The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access (originally named CONFIG_NONPROMISC_DEVMEM).

/dev/kmem disabled

There is no modern user of /dev/kmem any more beyond attackers using it to load kernel rootkits. CONFIG_DEVKMEM is set to "n".

Block module loading

In Ubuntu 8.04 and earlier, it was possible to remove CAP_SYS_MODULES from the system-wide capability bounding set, which would stop any new kernel modules from being loaded. This was another layer of protection to stop kernel rootkits from being installed. The 2.6.25 Linux kernel (Ubuntu 8.10) changed how bounding sets worked, and this functionality disappeared. Starting with Ubuntu 9.10, it is now possible to block module loading again by setting "1" in /proc/sys/kernel/modules_disabled.

CONFIG_DEBUG_RODATA

This kernel setting makes sure that certain kernel data sections are not marked to allow modification. This helps protect against some classes of kernel rootkits.

CONFIG_CC_STACKPROTECTOR

Similar to the stack protector used for ELF programs in userspace, the kernel can protect its internal stacks as well.

SYN cookies

When a system is overwhelmed by new network connections, SYN cookie use is activated, which helps mitigate a SYN-flood attack.

PR_SET_SECCOMP

Setting SECCOMP for a process is meant to confine it to a small subsystem of system calls, used for specialized processing-only programs.

Additional Documentation

Security/Features (last edited 2024-10-22 08:49:04 by jjohansen)