Hi Kees, Thanks for the excellent answers!
I also have a question on the kernel memory space security. Based on an experiment created by Mark Allyn (my college), if a device driver (like audio driver) is poorly written without boundary check, a user could exploits that security hole and can easily read or write to anywhere in the kernel memory space via an interface like /dev/audio. Is there any security features in Ubuntu that prevent such exploit? So far the only solution mentioned is to submit all device drivers for rigorous peers review. Thanks again. Sincerely, Woei -----Original Message----- From: Kees Cook [mailto:[EMAIL PROTECTED] Sent: Monday, July 30, 2007 4:56 PM To: Ng, Cheon-woei Cc: [email protected] Subject: Re: About Ubuntu security On Mon, Jul 30, 2007 at 09:01:36AM -0700, Ng, Cheon-woei wrote: > It is my understanding that user space buffer overflow exploits (like > SUID, return-to-libc, etc) are basically impossible under Feisty Fawn or > Gutsy because of implementation of security measures like Address Space > Layout Randomization, Stack Guard, and AppArmor (in Gutsy). > > Questions: > 1. Is my assumption correct? For the most part, yes. I like saying "nearly" impossible instead of "basically". Overflow protections can't protect against arbitrary memory-writing bugs, but the ASLR helps make this much harder too. > 2. Are there any other security measures that I did not mention and I > should know of? One bit that didn't get much hype was the heap link-checking was added via glibc 2.5 in Feisty. > 3. Is there a link repository where I could find all details of the > security features included in Feisty Fawn or Gutsy? For example, I am > looking for a dedicated place in Ubuntu.com where I could find answers > for questions like these: There isn't, but writing such a document is near the top of my TODO list. > a. Is the Address Space Layout Randomization based on PaX? AFAIK, the ASLR in mainline kernels is based on the work done in RHEL. If that was based on PaX, I'm not certain. > b. When was this security measure included in Ubuntu? Stack ASLR happened in Dapper, library (mmap) ASLR happened in Edgy. ASLR of text was going to happen for Feisty, but was pulled from mainline kernels at the last minute. I'm working on getting it back in. > c. How many bits are randomized? IIRC, 20 bits. > d. Is function table randomized? Do you mean libc function tables? I don't think this will be in Gutsy, as it was only very recently introduced in mainline glibc. > e. Is Stack Guard part of all applications included in Feisty > Fawn? All packages built during and since the Edgy cycle would have been compiled with stack protection. I'm intending to go through and make sure any needing it are rebuilt for sure. -Kees -- Kees Cook -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
