About Ubuntu security
Ng, Cheon-woei
cheon-woei.ng at intel.com
Tue Jul 31 00:15:34 UTC 2007
Hi Kees,
Thanks for the excellent answers!
I also have a question on the kernel memory space security.
Based on an experiment created by Mark Allyn (my college), if a device
driver (like audio driver) is poorly written without boundary check, a
user could exploits that security hole and can easily read or write to
anywhere in the kernel memory space via an interface like /dev/audio.
Is there any security features in Ubuntu that prevent such exploit? So
far the only solution mentioned is to submit all device drivers for
rigorous peers review.
Thanks again.
Sincerely,
Woei
-----Original Message-----
From: Kees Cook [mailto:kees at ubuntu.com]
Sent: Monday, July 30, 2007 4:56 PM
To: Ng, Cheon-woei
Cc: ubuntu-server at lists.ubuntu.com
Subject: Re: About Ubuntu security
On Mon, Jul 30, 2007 at 09:01:36AM -0700, Ng, Cheon-woei wrote:
> It is my understanding that user space buffer overflow exploits (like
> SUID, return-to-libc, etc) are basically impossible under Feisty Fawn
or
> Gutsy because of implementation of security measures like Address
Space
> Layout Randomization, Stack Guard, and AppArmor (in Gutsy).
>
> Questions:
> 1. Is my assumption correct?
For the most part, yes. I like saying "nearly" impossible instead of
"basically". Overflow protections can't protect against arbitrary
memory-writing bugs, but the ASLR helps make this much harder too.
> 2. Are there any other security measures that I did not mention and I
> should know of?
One bit that didn't get much hype was the heap link-checking was added
via
glibc 2.5 in Feisty.
> 3. Is there a link repository where I could find all details of the
> security features included in Feisty Fawn or Gutsy? For example, I am
> looking for a dedicated place in Ubuntu.com where I could find answers
> for questions like these:
There isn't, but writing such a document is near the top of my TODO
list.
> a. Is the Address Space Layout Randomization based on PaX?
AFAIK, the ASLR in mainline kernels is based on the work done in RHEL.
If that was based on PaX, I'm not certain.
> b. When was this security measure included in Ubuntu?
Stack ASLR happened in Dapper, library (mmap) ASLR happened in Edgy.
ASLR of text was going to happen for Feisty, but was pulled from
mainline
kernels at the last minute. I'm working on getting it back in.
> c. How many bits are randomized?
IIRC, 20 bits.
> d. Is function table randomized?
Do you mean libc function tables? I don't think this will be in Gutsy,
as it was only very recently introduced in mainline glibc.
> e. Is Stack Guard part of all applications included in Feisty
> Fawn?
All packages built during and since the Edgy cycle would have been
compiled with stack protection. I'm intending to go through and make
sure any needing it are rebuilt for sure.
-Kees
--
Kees Cook
More information about the ubuntu-server
mailing list