Security and openSUSEsecuring the tumbleweed

Marcus MeißnerTechnical Project Manager Securitymeissner@suse.de

2

Overview

• The Team

• Security after releases

• Security before releases

‒ Before check-in

‒ Automations

3

The MaintenanceSecurity Team

Thomas Biege: Manager

Security people:

Andreas Stieger

Marcus Meissner

Sebastian Krahmer

Victor Pereira

Alexander Bergmann

Johannes Segitz

4

Security for openSUSE releases

Tracking & Coordination

Timeline: for 2 openSUSE releases & 2 months life time

Bugzilla “SUSE Security Incidents” product

“VUL-x: CVE-xxxx-yyyy: package: short summary”

VUL-0, VUL-1, VUL-2 prefixes

5

Security for Tumbleweed

Multiple parts:

• Fixing security issues – usually by maintenance update

• Reviewing all the new things

• New technologies and automatisms

6

Reviews

• Users used for privilege seperation

• Root can do everything

• Lots of helper methods user → root

• Desktop user should not be root by default

→ We need to review all transition paths

7

Allowing new DBUS and PAM modules

rpmlint direct checks:

• DBUS services

• PAM module files

• (New users and groups)

Open a bug for Security (Category Security, or assign to security-team@suse.de), use AUDIT-0 tag

8

Policykit policies access rights to DBUS services

Various access checking rights:

• No, Yes, auth_admin, auth_self

Depending on context:

• active session, inactive session, other users.

Handled in polkit-default-privs package, checked by rpmlint.

Open an AUDIT-0 bug if shown in rpmlint output.

Allowing new policykit rules

9

Approving new setuid/setgid things

brp-permissions finds:

• New setuid binaries

• New setgid/setuid directories

• World writable directories

Approval handled in permissions package, also via AUDIT-0 bugs.

.spec files need adjustments to add setting / verification of permissions.

10

Starting daemons by default

Systemd uses “presets” for auto starting services on boot.

These presets live in systemd-presets-branding-openSUSE

Maintained by the security team, we review the submitrequests.

Goal: keep set minimal

11

Auditing – no magic silver bullet

• Manual work

• Needs experience

• Helper tools

• 1 – 2 per week/engineer

• Look at specific parts only

12

Automation and technologies

Security technologies for improving system security

Integration criteria:

• Status

• Number of false positives / negatives

• Ease of integration to Tumbleweed

• Performance & Usability

13

Compiler checks - FORTIFY_SOURCE

Lightweight buffer overflow checking, consists:

• Compile time warnings

• Runtime aborts

Utilized for glibc standard functions like strcpy, memcpy, and similar which get buffers.

CPPFLAGS=”-D_FORTIFY_SOURCE=2”

Default for several years.

14

Compiler checks - -fstack-protectorHeuristic stack overflow detection

Uses a random stack “canary” that is checked on function exit.

To enable:

CFLAGS += “-fstack-protector” (-all , -strong)

Status: enabled for several years

15

Adress Space Layout Randomization

Randomize all the address space!

Stack, libraries, mmaps, vdso: for quite some years

Main binary and heap: Need to build with “PIE” mode.

16

Future: Build Factory with PIE

Selected packages are built with PIE support enabled already.

Enable: CFLAGS+=”-fPIE” LDFLAGS+=”-pie”

Enable all the packages!

Status: WIP in openSUSE:Factory:Staging:PIE

17

Apparmor and SELinux

Apparmor:

• Well integrated for years

• Suited only for server scenarios

SELinux

• Tools present

• No well working policies at this time

• complex

18

Future: Enable Address Sanitizer

Newer compilers have “Sanitizer” modules for dynamic runtime checking modes.

AddressSanitizer: Reliable array overflow checking.

Enable: CFLAGS+=”-fsanitize=address”

Status: Evaluated by Victor Pereira

19

Future: Other sanitizers

• ThreadSanitizer: -fsanitize=thread

New with GCC 5:

• UndefinedBehaviourSanitizer (-fsanitize= … )‒ Float-divide-by-zero

‒ Float-cast-overflow

‒ Bounds

‒ Alignment

‒ Object-size

‒ Vptr

• Pointer Bounds Checker (-fcheck-pointer-bounds)

20

Fuzzers - AFL

AFL (American Fuzzy Lop)

Developer tool, not for common usage

Optimized for speed of execution and enhancing coverage

Fuzzing sample:

• Fileformats

• Other direct data input (even TLS)

21

How can you help?

• Install online updates!

• If you see something security related, speak up.‒ (if it has a CVE id we probably know it already though)

• Program securely

• Help fix security issues for openSUSE!