opensuse conference 2015: security processes and technologies for tumbleweed
TRANSCRIPT
Security and openSUSEsecuring the tumbleweed
Marcus MeißnerTechnical Project Manager [email protected]
2
Overview
• The Team
• Security after releases
• Security before releases
‒ Before check-in
‒ Automations
3
The MaintenanceSecurity Team
Thomas Biege: Manager
Security people:
Andreas Stieger
Marcus Meissner
Sebastian Krahmer
Victor Pereira
Alexander Bergmann
Johannes Segitz
4
Security for openSUSE releases
Tracking & Coordination
Timeline: for 2 openSUSE releases & 2 months life time
Bugzilla “SUSE Security Incidents” product
“VUL-x: CVE-xxxx-yyyy: package: short summary”
VUL-0, VUL-1, VUL-2 prefixes
5
Security for Tumbleweed
Multiple parts:
• Fixing security issues – usually by maintenance update
• Reviewing all the new things
• New technologies and automatisms
6
Reviews
• Users used for privilege seperation
• Root can do everything
• Lots of helper methods user → root
• Desktop user should not be root by default
→ We need to review all transition paths
7
Allowing new DBUS and PAM modules
rpmlint direct checks:
• DBUS services
• PAM module files
• (New users and groups)
Open a bug for Security (Category Security, or assign to [email protected]), use AUDIT-0 tag
8
Policykit policies access rights to DBUS services
Various access checking rights:
• No, Yes, auth_admin, auth_self
Depending on context:
• active session, inactive session, other users.
Handled in polkit-default-privs package, checked by rpmlint.
Open an AUDIT-0 bug if shown in rpmlint output.
Allowing new policykit rules
9
Approving new setuid/setgid things
brp-permissions finds:
• New setuid binaries
• New setgid/setuid directories
• World writable directories
Approval handled in permissions package, also via AUDIT-0 bugs.
.spec files need adjustments to add setting / verification of permissions.
10
Starting daemons by default
Systemd uses “presets” for auto starting services on boot.
These presets live in systemd-presets-branding-openSUSE
Maintained by the security team, we review the submitrequests.
Goal: keep set minimal
11
Auditing – no magic silver bullet
• Manual work
• Needs experience
• Helper tools
• 1 – 2 per week/engineer
• Look at specific parts only
12
Automation and technologies
Security technologies for improving system security
Integration criteria:
• Status
• Number of false positives / negatives
• Ease of integration to Tumbleweed
• Performance & Usability
13
Compiler checks - FORTIFY_SOURCE
Lightweight buffer overflow checking, consists:
• Compile time warnings
• Runtime aborts
Utilized for glibc standard functions like strcpy, memcpy, and similar which get buffers.
CPPFLAGS=”-D_FORTIFY_SOURCE=2”
Default for several years.
14
Compiler checks - -fstack-protectorHeuristic stack overflow detection
Uses a random stack “canary” that is checked on function exit.
To enable:
CFLAGS += “-fstack-protector” (-all , -strong)
Status: enabled for several years
15
Adress Space Layout Randomization
Randomize all the address space!
Stack, libraries, mmaps, vdso: for quite some years
Main binary and heap: Need to build with “PIE” mode.
16
Future: Build Factory with PIE
Selected packages are built with PIE support enabled already.
Enable: CFLAGS+=”-fPIE” LDFLAGS+=”-pie”
Enable all the packages!
Status: WIP in openSUSE:Factory:Staging:PIE
17
Apparmor and SELinux
Apparmor:
• Well integrated for years
• Suited only for server scenarios
SELinux
• Tools present
• No well working policies at this time
• complex
18
Future: Enable Address Sanitizer
Newer compilers have “Sanitizer” modules for dynamic runtime checking modes.
AddressSanitizer: Reliable array overflow checking.
Enable: CFLAGS+=”-fsanitize=address”
Status: Evaluated by Victor Pereira
19
Future: Other sanitizers
• ThreadSanitizer: -fsanitize=thread
New with GCC 5:
• UndefinedBehaviourSanitizer (-fsanitize= … )‒ Float-divide-by-zero
‒ Float-cast-overflow
‒ Bounds
‒ Alignment
‒ Object-size
‒ Vptr
• Pointer Bounds Checker (-fcheck-pointer-bounds)
20
Fuzzers - AFL
AFL (American Fuzzy Lop)
Developer tool, not for common usage
Optimized for speed of execution and enhancing coverage
Fuzzing sample:
• Fileformats
• Other direct data input (even TLS)