Announcing security hardened kernels for testing
martin.pitt at canonical.com
Tue Jan 4 09:16:55 CST 2005
Hello to all security addicts out there!
At the Mataro conference we discussed about various proactive security
enhancements for Ubuntu . Amongst other things we agreed to provide
a security enhanced kernel that integrates PaX . By separating
writeable and executable memory, PaX prevents the exploitation of a
whole class of common security vulnerabilities, the buffer overflows.
On a normal kernel, buffer overflows can very often be exploited to
run arbitrary attacker supplied code, which can be used to compromise
the user account, or even the whole system (if the buffer overflow
occurs in a privileged process). On a PaX kernel, any attempt to
execute such code immediately causes the process to be killed; this
reduces the potential impact of a buffer overflow from system
compromise to denial of service.
During the last days I played around with this. I ported the current
beta release of Grsecurity  to the Ubuntu kernel and created a
source package which builds kernels for various architectures.
Grsecurity includes PaX, and also comes along with a role based
mandatory access control system and various other improvements (chroot
jail hardening, protection against symlink tmpfile attacks, /proc
restrictions, randomized PIDs, randomized TCP ports, etc.) which
improve the proactive system security.
Right now I built kernels for i386 (a generic 386 package and an
optimized K7 one) and powerpc. These are the platforms I can test at
home, but I will build kernels for other flavors (like 686, SMP and
Power4) and architectures soon, too.
You can download the debs from . Alternatively you can add an apt
source to install and upgrade them easily:
deb http://people.ubuntu.com/~pitti/linux-hardened/ /
deb-src http://people.ubuntu.com/~pitti/linux-hardened/ /
linux-image-2.6.10-hardened-1-386 (generic i386)
linux-image-2.6.10-hardened-1-k7 (optimized for Athlon/Duron)
linux-image-2.6.10-hardened-1-powerpc (generic PowerPC)
(Note: I did not call the package -grsecurity because in the future we
want to include additional improvements.)
- The XFS file system does not work with these kernels at the moment,
so do not install them if you rely on XFS. I try to sort that out
- Some programs (most notably X.org and OpenOffice.org) still rely on
executing writeable memory, so the PaX protection has to be
disabled for them. You have to install the "chpax" package and
execute the following commands before everything will work:
sudo chpax -s /usr/X11R6/bin/Xorg
sudo chpax -p /usr/X11R6/bin/Xorg
sudo chpax -s /usr/lib/openoffice/program/soffice.bin
sudo chpax -p /usr/lib/openoffice/program/soffice.bin
This will set flags in the ELF headers, so you have to repeat these
commands after every X.org/OO.o package upgrade for now. These
flags do not interfere with anything, so you can safely set them
and use the programs on a normal kernel. In the near future I will
try to make this happen automatically.
- Framebuffer text console does not work on my i386 (it works fine on
my iBook, though). So if you don't see any output, please boot with
the normal VGA mode (remove the vga= kernel parameter). I
appreciate feedback on this!
You can install the "paxtest" package to check your kernel. It will
try to execute various buffer overflow exploits and report whether
they are successful.
I welcome feedback and suggestions about this!
Have a safe day,
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050104/64d73d8a/attachment.pgp
More information about the ubuntu-devel