About Ubuntu security

Kees Cook kees at ubuntu.com
Mon Jul 30 23:56:07 UTC 2007


On Mon, Jul 30, 2007 at 09:01:36AM -0700, Ng, Cheon-woei wrote:
> It is my understanding that user space buffer overflow exploits (like
> SUID, return-to-libc, etc) are basically impossible under Feisty Fawn or
> Gutsy because of implementation of security measures like Address Space
> Layout Randomization, Stack Guard, and AppArmor (in Gutsy).  
> 
> Questions:
> 1. Is my assumption correct?

For the most part, yes.  I like saying "nearly" impossible instead of
"basically".  Overflow protections can't protect against arbitrary
memory-writing bugs, but the ASLR helps make this much harder too.

> 2. Are there any other security measures that I did not mention and I
> should know of?

One bit that didn't get much hype was the heap link-checking was added via
glibc 2.5 in Feisty.

> 3. Is there a link repository where I could find all details of the
> security features included in Feisty Fawn or Gutsy?  For example, I am
> looking for a dedicated place in Ubuntu.com where I could find answers
> for questions like these:

There isn't, but writing such a document is near the top of my TODO
list.

> 	a. Is the Address Space Layout Randomization based on PaX?  

AFAIK, the ASLR in mainline kernels is based on the work done in RHEL.
If that was based on PaX, I'm not certain.

> 	b. When was this security measure included in Ubuntu?  

Stack ASLR happened in Dapper, library (mmap) ASLR happened in Edgy.
ASLR of text was going to happen for Feisty, but was pulled from mainline
kernels at the last minute.  I'm working on getting it back in.

> 	c. How many bits are randomized? 

IIRC, 20 bits.

> 	d. Is function table randomized? 

Do you mean libc function tables?  I don't think this will be in Gutsy,
as it was only very recently introduced in mainline glibc.

> 	e. Is Stack Guard part of all applications included in Feisty
> Fawn? 

All packages built during and since the Edgy cycle would have been
compiled with stack protection.  I'm intending to go through and make
sure any needing it are rebuilt for sure.

-Kees

-- 
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20070730/20d5ca7a/attachment.pgp>


More information about the ubuntu-server mailing list