About Ubuntu security

Allyn, Mark A mark.a.allyn at intel.com
Mon Jul 30 22:17:15 UTC 2007 

Rick & Ubuntu List:

Thanks for getting back to me.

I forgot to ask one more thing; I realize that NX is not the only thing
that can be added to the kernel. There is also the ideas such as Address
Layout Randomization or any other feature of either PAX or ExecShield?
Does anyone know of plans for including these in the kernel for Ubuntu?

Thanks

Mark Allyn

-----Original Message-----
From: ubuntu-server-bounces at lists.ubuntu.com
[mailto:ubuntu-server-bounces at lists.ubuntu.com] On Behalf Of Rick Clark
Sent: Monday, July 30, 2007 2:51 PM
To: ubuntu-server at lists.ubuntu.com
Subject: RE: About Ubuntu security

Mark, 
Currently, the plan is to include AppArmor in the Gutsy release.  No
decision has been made as to any other security architecture.  

NX support for 32 bit requires the HIGHMEM64 option to be enabled in the
kernel.  Unfortunately, this makes some 32 bit processors fail to boot.
I think it is worth discussing enabling it, as most of the processors
that fail are either very old or laptop centric.

This list is an excellent place to give an opinion, though.  I
personally like PaX, especially its ability to simulate NX, on
unsupported hardware. This would allow us to get around the 32 bit
problem.


Rick 

On Mon, 2007-07-30 at 13:40 -0700, Allyn, Mark A wrote:
> Evan:
> 
> Thanks for getting back to us. 
> 
> I am curious, and I am asking the list; what are the plans for
including
> either PAX or ExecShield in the kernel? Also, what is the status of
> using the NX bit in a 32 Bit environment. 
> 
> What little I see on Google, I notice that Linux seems to have 64 Bit
> X86 working with the NX bit, but there are some issues with the 32 Bit
> X86 processors' use of the NX bit. 
> 
> Where is Ubuntu currently on using the NX bit, if if it is not being
> used currently, what are the plans?
> 
> Thanks 
> 
> Mark Allyn 
> 
> -----Original Message-----
> From: ubuntu-server-bounces at lists.ubuntu.com
> [mailto:ubuntu-server-bounces at lists.ubuntu.com] On Behalf Of Evan
> Klitzke
> Sent: Monday, July 30, 2007 9:46 AM
> To: Ng, Cheon-woei
> Cc: ubuntu-server at lists.ubuntu.com
> Subject: Re: About Ubuntu security
> 
> On 7/30/07, Ng, Cheon-woei <cheon-woei.ng at intel.com> wrote:
> > Hello,
> >
> > This is the first time I post a question.  If it is not the correct
> > place to place the questions, can you please re-direct me to the
> correct
> > place?
> >
> > It is my understanding that user space buffer overflow exploits
(like
> > SUID, return-to-libc, etc) are basically impossible under Feisty
Fawn
> or
> > Gutsy because of implementation of security measures like Address
> Space
> > Layout Randomization, Stack Guard, and AppArmor (in Gutsy).
> >
> > Questions:
> > 1. Is my assumption correct?
> > 2. Are there any other security measures that I did not mention and
I
> > should know of?
> > 3. Is there a link repository where I could find all details of the
> > security features included in Feisty Fawn or Gutsy?  For example, I
am
> > looking for a dedicated place in Ubuntu.com where I could find
answers
> > for questions like these:
> >         a. Is the Address Space Layout Randomization based on PaX?
> >         b. When was this security measure included in Ubuntu?
> >         c. How many bits are randomized?
> >         d. Is function table randomized?
> >         e. Is Stack Guard part of all applications included in
Feisty
> > Fawn?
> >
> > Thanks!
> >
> > Sincerely,
> > Cheon-Woei Ng
> 
> I'm not in any way affiliated with Ubuntu, so I can't answer your
> questions for sure, but AFAIK the only protections currently in place
> along the lines of what you mentioned are using SSP by default. This
> was implemented for Edgy. You can read more about it at this launchpad
> page: https://blueprints.launchpad.net/ubuntu/+spec/gcc-ssp . I'm not
> 100% certain, but I don't think that PaX are related technologies are
> compiled into the kernel. You can easily check exactly what is
> compiled into your kernel though by grepping through
> /boot/config-your-kernel-version.
> 
> -- 
> Evan Klitzke <evan at yelp.com>
> 
> -- 
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> 
-- 
Rick Clark
Technical Lead, Ubuntu Server Team
email: rick.clark at ubuntu.com
irc: dendrobates on freenode
http://www.ubuntu.com


-- 
ubuntu-server mailing list
ubuntu-server at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server

More information about the ubuntu-server mailing list