ProactiveSecurityRoadmap

Differences between revisions 22 and 24 (spanning 2 versions)
Revision 22 as of 2005-04-28 00:22:20
Size: 4463
Editor: intern146
Comment: sending back to authors, still in DraftSpec state, needs expansion
Revision 24 as of 2005-04-28 02:32:51
Size: 5847
Editor: intern146
Comment: typo
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
  * People: MartinPittLead, AndrewMitchellSecond, MartinPittQueue, AndrewMitchellQueue[BR]]   * People: MartinPittLead, AndrewMitchellSecond, ColinCharlesQueue[[BR]]
Line 18: Line 18:
  * UduSessions: done '''(colin: err, how many did you have? format is: sessions_had(remainder))'''[[BR]]   * UduSessions: 2(0)[[BR]]
Line 26: Line 26:
'''(colin: a rationale would be nice, as to why you want to be proactive about things)''' We want to reduce the risk of security holes in Ubuntu systems by reducing the number of potential attack vectors and find general solutions for preventing common classes of vulnerabilities. This helps to reduce the number of security updates we have to do after a release, and confines the impact of actual vulnerabilities to a minimum.
Line 38: Line 38:
 * MAC (SELinux) -> Separate BoF   * MAC (SELinux, grsecurity, etc.) -> [/SELinux Separate BoF]
Line 42: Line 42:

'''(colin: any idea how you want to implement it?)'''
Line 53: Line 51:
 * Provide a grsecurity kernel in universe, if a community member is interested to care about it; packaging is available.
 * Port some `/proc` restrictions which can be enabled/disabled at runtime.
 * Port randomisation patches: PID, TCP sequence numbers, TCP source ports
 * Delay the respawning of repeatedly crashing applications to prevent brute force attacks.		  * Provide a grsecurity kernel in universe, if a community member is interested to care about it; [http://people.ubuntu.com/~pitti/arch/martin.pitt@canonical.com--2005/linux-hardened--devel--2.6.10/ packaging] is available.
 * Extract and port some of grsecurity's `/proc` restrictions which can be enabled/disabled at runtime:
  * Users can only see their own processes; this will keep them from e. g. seeing confidential command line arguments of other processes, which is still a very common mistake.
  * Hide memory addresses from map files: make it harder to deploy successful exploitations of heap overflows.
 * Extract and port randomisation patches from grsecurity:
  * PID: Prevent the prediction of PIDs for child processes to make it harder to exploit race conditions, and avoid information leaks.
  * TCP sequence numbers: Make it harder to hijack TCP connections.
  * TCP source ports: Drastically increase the average time for TCP reset attacks.
Line 64: Line 66:
`dhcp3-client`:
 * Currently `dhclient` runs as root, which is much more than necessary.
 * Privilege requirements: normal users with CAP_NET_RAW and CAP_NET_BIND_SERVICE; needs a suid wrapper to call /etc/dhcp3/dhclient-script
 * `dhclient-script` must be security reviewed (proper quoting, etc.).
 * MartinPitt has a prototypical package, will upload it into Breezy soon.

`dhcp3-server`:
 * Currently `dhcpd` runs as root, which is much more than necessary.
 * Privilege requirements: normal user with CAP_NET_RAW and CAP_NET_BIND_SERVICE for initialization phase; these can be dropped after socket creation.
 * MartinPitt has a prototypical package, will upload it into Breezy soon.

`inetd`:
 * This package is currently installed by default as part of the base system; since it is a daemon running as root, but is not used much any more, it is desirable to throw it out to Supported.
 * MartinPitt compiled a list of all packages in main which use inetd on the InetdUsage page.
Line 66: Line 83:
'''(colin: is there anything that'd crop up as an issue?)''' Desirable for the future:
 * Exponentially delay the respawning of repeatedly crashing applications to prevent brute force attacks (eventually finding the correct offset of memory locations for buffer overflow attacks).
 * Evaluate chroot hardening patches.
 * Memory protection: Jamie will research whether there are things exploitable in exec-shield which aren't in PaX.
 * Compile-time stack protection.
  * mudflap comes with gcc 4.0, but does not help in any way to improve proactive security
  * [http://www.research.ibm.com/trl/projects/security/ssp/ SSP] currently offers the [http://www.ida.liu.se/~johwi/research_publications/paper_ndss2003_john_wilander.pdf most effective protection], but does not (currently) work with 4.0 and is unlikely to be accepted upstream.
  * There is another project called FORTIFY_SOURCE which has a better chance to be eventually accepted upstream.
  * We will not support any solution that is not at least considered upstream.
 * Reduce the privileges of cron.
  * Parsing the crontabs as normal user and introducing a minimal setuid wrapper for actually executing the commands as the target user will not help to improve security; the remaining stuff (timer and signal handling) does not accept user input and thus is not very error prone. I do not really have a good idea about this. (Note: atd also runs with root privileges, it just hides them pretty well; I do not have an idea how to deroot this either, it's the same problem.)
Line 70: Line 97:
 * Jamie will research whether there are things exploitable in exec-shield which aren't in PaX.
 * Evaluate chroot hardening patches.
Line 74: Line 98:

 * Research privilege requirements of cron
  
 MartinPitt: Parsing the crontabs as normal user and introducing a minimal setuid wrapper for actually executing the commands as the target user will not help to improve security; the remaining stuff (timer and signal handling) does not accept user input and thus is not very error prone. I do not really have a good idea about this. (Note: atd also runs with root privileges, it just hides them a bit; I do not have an idea how to deroot this either, it's the same problem.)

 * Research privilege requirements of dhclient3

 MartinPitt: normal user with CAP_NET_RAW and CAP_NET_BIND_SERVICE; needs a suid wrapper to call /etc/dhcp3/dhclient-script; prototypical package available; pending security review of dhclient-script (proper quoting, etc.)
 * Research privilege requirements of dhcpd3

 MartinPitt: normal user with CAP_NET_RAW and CAP_NET_BIND_SERVICE for initialization phase; can be dropped after socket creation; prototypical package available

 * Search for implicit dependencies on inetd via netbase

 MartinPitt: I compiled a list of all packages in main which use inetd on page InetdUsage.

 * Determine requirements for compile-time stack protection in gcc (4.x?)

 MartinPitt: mudflap comes with gcc 4.0, but does not help in any way to improve proactive security; [http://www.research.ibm.com/trl/projects/security/ssp/ SSP] currently offers the [http://www.ida.liu.se/~johwi/research_publications/paper_ndss2003_john_wilander.pdf most effective protection], but does not (currently) work with 4.0 and is unlikely to be accepted upstream

Proactive Security Roadmap

Status

Introduction

Establish a strategy for implementing proactive security features in Ubuntu.

Rationale

We want to reduce the risk of security holes in Ubuntu systems by reducing the number of potential attack vectors and find general solutions for preventing common classes of vulnerabilities. This helps to reduce the number of security updates we have to do after a release, and confines the impact of actual vulnerabilities to a minimum.

Scope and Use Cases

  • Privilege reduction
    • Run cron as non-root?
    • Run dhclient3 as non-root?
    • Run dhcpd3 as non-root?

    • Change unix_chkpwd from suid root to sgid shadow (see [http://bugs.debian.org/155583 #155583])

  • Compile-time stack protection?
  • Non-executable stack for i386?

  • MAC (SELinux, grsecurity, etc.) -> [/SELinux Separate BoF]

  • Find ways to prevent exploitations of common vulnerabilities.

Implementation Plan

Data Preservation and Migration

Does not apply here.

Packages Affected

Kernel:

  • Port the OpenWall patch that prevents exploitation of unsafe temporary file creation; it is really trivial; add a proc file to be able to enable/disable at runtime.

  • Provide a grsecurity kernel in universe, if a community member is interested to care about it; [http://people.ubuntu.com/~pitti/arch/martin.pitt@canonical.com--2005/linux-hardened--devel--2.6.10/ packaging] is available.

  • Extract and port some of grsecurity's /proc restrictions which can be enabled/disabled at runtime:

    • Users can only see their own processes; this will keep them from e. g. seeing confidential command line arguments of other processes, which is still a very common mistake.
    • Hide memory addresses from map files: make it harder to deploy successful exploitations of heap overflows.
  • Extract and port randomisation patches from grsecurity:
    • PID: Prevent the prediction of PIDs for child processes to make it harder to exploit race conditions, and avoid information leaks.
    • TCP sequence numbers: Make it harder to hijack TCP connections.
    • TCP source ports: Drastically increase the average time for TCP reset attacks.

prelink:

  • Prelinked applications leave a huge /var/log/prelink.log which contains memory address; patch prelink to not dump addresses.

gcc:

  • If a community member is interested, we can provide SSP/Fortify/etc. gcc packages in universe, but we will not put them into main and use them as a default as long as upstream does not adopt a solution.

dhcp3-client:

  • Currently dhclient runs as root, which is much more than necessary.

  • Privilege requirements: normal users with CAP_NET_RAW and CAP_NET_BIND_SERVICE; needs a suid wrapper to call /etc/dhcp3/dhclient-script

  • dhclient-script must be security reviewed (proper quoting, etc.).

  • MartinPitt has a prototypical package, will upload it into Breezy soon.

dhcp3-server:

  • Currently dhcpd runs as root, which is much more than necessary.

  • Privilege requirements: normal user with CAP_NET_RAW and CAP_NET_BIND_SERVICE for initialization phase; these can be dropped after socket creation.

  • MartinPitt has a prototypical package, will upload it into Breezy soon.

inetd:

  • This package is currently installed by default as part of the base system; since it is a daemon running as root, but is not used much any more, it is desirable to throw it out to Supported.

  • MartinPitt compiled a list of all packages in main which use inetd on the InetdUsage page.

Outstanding Issues

Desirable for the future:

  • Exponentially delay the respawning of repeatedly crashing applications to prevent brute force attacks (eventually finding the correct offset of memory locations for buffer overflow attacks).
  • Evaluate chroot hardening patches.
  • Memory protection: Jamie will research whether there are things exploitable in exec-shield which aren't in PaX.
  • Compile-time stack protection.
  • Reduce the privileges of cron.
    • Parsing the crontabs as normal user and introducing a minimal setuid wrapper for actually executing the commands as the target user will not help to improve security; the remaining stuff (timer and signal handling) does not accept user input and thus is not very error prone. I do not really have a good idea about this. (Note: atd also runs with root privileges, it just hides them pretty well; I do not have an idea how to deroot this either, it's the same problem.)

UDU BOF Agenda

UDU Pre-Work

UbuntuDownUnder/BOFs/ProactiveSecurityRoadmap (last edited 2008-08-06 16:18:54 by localhost)