Announcing security hardened kernels for testing

Martin Pitt martin.pitt at canonical.com
Tue Jan 4 09:16:55 CST 2005 

Hello to all security addicts out there!

At the Mataro conference we discussed about various proactive security
enhancements for Ubuntu [1]. Amongst other things we agreed to provide
a security enhanced kernel that integrates PaX [2]. By separating
writeable and executable memory, PaX prevents the exploitation of a
whole class of common security vulnerabilities, the buffer overflows.

On a normal kernel, buffer overflows can very often be exploited to
run arbitrary attacker supplied code, which can be used to compromise
the user account, or even the whole system (if the buffer overflow
occurs in a privileged process). On a PaX kernel, any attempt to
execute such code immediately causes the process to be killed; this
reduces the potential impact of a buffer overflow from system
compromise to denial of service.

During the last days I played around with this. I ported the current
beta release of Grsecurity [3] to the Ubuntu kernel and created a
source package which builds kernels for various architectures.
Grsecurity includes PaX, and also comes along with a role based
mandatory access control system and various other improvements (chroot
jail hardening, protection against symlink tmpfile attacks, /proc
restrictions, randomized PIDs, randomized TCP ports, etc.) which
improve the proactive system security.

Right now I built kernels for i386 (a generic 386 package and an
optimized K7 one) and powerpc. These are the platforms I can test at
home, but I will build kernels for other flavors (like 686, SMP and
Power4) and architectures soon, too.

You can download the debs from [4]. Alternatively you can add an apt
source to install and upgrade them easily:

  deb     http://people.ubuntu.com/~pitti/linux-hardened/  /
  deb-src http://people.ubuntu.com/~pitti/linux-hardened/  /

Current packages:
  linux-image-2.6.10-hardened-1-386 (generic i386)
  linux-image-2.6.10-hardened-1-k7 (optimized for Athlon/Duron)
  linux-image-2.6.10-hardened-1-powerpc (generic PowerPC)

(Note: I did not call the package -grsecurity because in the future we
want to include additional improvements.)

Caveats:

 - The XFS file system does not work with these kernels at the moment,
   so do not install them if you rely on XFS. I try to sort that out
   soon.

 - Some programs (most notably X.org and OpenOffice.org) still rely on
   executing writeable memory, so the PaX protection has to be
   disabled for them. You have to install the "chpax" package and
   execute the following commands before everything will work:

   sudo chpax -s /usr/X11R6/bin/Xorg
   sudo chpax -p /usr/X11R6/bin/Xorg
   sudo chpax -s /usr/lib/openoffice/program/soffice.bin
   sudo chpax -p /usr/lib/openoffice/program/soffice.bin

   This will set flags in the ELF headers, so you have to repeat these
   commands after every X.org/OO.o package upgrade for now. These
   flags do not interfere with anything, so you can safely set them
   and use the programs on a normal kernel. In the near future I will
   try to make this happen automatically.

 - Framebuffer text console does not work on my i386 (it works fine on
   my iBook, though). So if you don't see any output, please boot with
   the normal VGA mode (remove the vga= kernel parameter). I
   appreciate feedback on this!

Testing:

You can install the "paxtest" package to check your kernel. It will
try to execute various buffer overflow exploits and report whether
they are successful.

I welcome feedback and suggestions about this!

Have a safe day,

Martin

[1] http://www.ubuntulinux.org/wiki/SecurityBOF
[2] http://pax.grsecurity.net
[3] http://www.grsecurity.net
[4] http://people.ubuntu.com/~pitti/linux-hardened/

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050104/64d73d8a/attachment.pgp

More information about the ubuntu-devel mailing list