Ubuntu 21.10 is the latest release of Ubuntu and comes as the last interim release before the forthcoming 22.04 LTS release due in April 2022. As the interim releases are often proving grounds for upcoming features in the LTS releases, this provides a good opportunity to take stock of some of the latest security features delivered in this release, on the road to 22.04 LTS. In this blog post, we will take a look at those features and improvements that add to the overall security of an Ubuntu system and which help to enable your Linux cybersecurity strategy.
5.13 Linux kernel
The Linux kernel is the foundation for all Ubuntu systems. Ubuntu 21.10 uses the upstream 5.13 kernel as it’s baseline and so takes advantage of a number of improvements since the 5.11 kernel which is used in Ubuntu 21.04. These include the following new features.
Detect active exploitation attempts with KFENCE memory error detector
Memory corruption vulnerabilities are still one of the most problematic types of security issues for the Linux kernel. Detecting these can be done at both compile time via static analysis, and at run-time through instrumentation of various memory allocation routines. Traditionally, instrumenting memory operations to detect errors at runtime has been too computationally intensive to use in production systems, and so has been restricted to use in CI environments and the like. Kernel Electric Fence (KFENCE) is a new, low overhead run-time memory error detector which is designed to be used in production environments. Rather than instrument all memory routines, KFENCE uses a sampling approach so that only a subset of operations are measured, keeping the overhead low whilst still allowing to detect the most common memory errors that may be encountered over a long enough sampling period. This
is enabled by default which should enable detection of various runtime memory errors, which in turn could indicate the presence of active exploitation attempts of these systems.
[Editors note: during the development of Ubuntu 21.10 KFENCE was enabled by default but just prior to the final release was disabled due to instability in certain scenarios – investigation is still ongoing to try and re-enable this feature as part of the Stable Release Update process].
Impede kernel exploitation with Kernel stack offset randomisation
Exploitation of the Linux kernel often involves a local user making multiple system-calls to first leak a kernel memory address and then to overwrite that memory on a subsequent call. One way to try and counter this exploitation method is to ensure that the kernel stack is located in a different memory region from one system-call to another, such that a stack memory address which can be leaked from one system-call becomes invalid if used in a subsequent call. The 5.13 kernel introduces the ability to randomise the location of the kernel stack at each system-call entry to the kernel for both the amd64 and arm64 architectures. This work was inspired by the PaX RANDKSTACK project, and so brings to the mainline Linux kernel and hence Ubuntu 21.10 a much desired security hardening feature. The performance impact of this new feature is minimal, and so this has been enabled by default for Ubuntu 21.10 and so makes all Ubuntu users safer by frustrating would-be attackers by closing another attack technique.
Experiment with application sandboxing via the Landlock security module
Security vulnerabilities can be present in the most trusted of applications. To try and limit the impact these can have, Mandatory Access Control (MAC) systems have been used to sandbox applications so they can only access the specific resources needed. AppArmor and SELinux are both examples of MAC systems and both are implemented as Linux Security Modules within the Linux kernel. Each allows the system administrator to define policy about what applications should be allowed to access. In more recent years, a trend towards allowing applications to sandbox themselves has been seen, with the introduction of seccomp filters and now the Landlock LSM. Landlock is similar to AppArmor in that it allows policy to be created which limits what files an application can access, but unlike AppAmor which is designed to be configured by the system administrator, Landlock allows applications to define their own security policy. The use of LSM stacking allows Landlock to be used in conjunction with AppArmor, and so has been enabled in Ubuntu 21.10 as a preview of this new technology so that application developers can start exploring the use of Landlock in addition to AppArmor for enhanced application isolation.
Reduce kernel attack surface by disabling unprivileged BPF
The use of the Berkeley Packet Filter (BPF) in-kernel virtual machine has grown since its original use within the networking subsystem of the kernel. It is now used by control groups for filtering device accesses, tracing and profiling to gather performance information, and observability and monitoring of the system just to name a few use-cases to which this technology has been applied. As the use-cases for BPF have grown, so has the appetite for making this ubiquitous system available to all users. Since the 4.4 kernel, unprivileged users have been able to load BPF programs into the kernel, trusting that the in-kernel BPF verifier will ensure no untoward actions can be performed as a result. Unfortunately, due to a range of security issues that have been (and continue to be) discovered in the BPF verifier, this has resulted in a number of high priority vulnerabilities within the kernel, that allow an unprivileged user to escalate their privileges to root, by loading BPF programs that bypass various checks within the BPF verifier. As a result, for Ubuntu 21.10, this default has been changed so that only privileged users may load BPF programs, but that trusting system administrators may allow unprivileged users to also load BPF programs by changing the associated sysctl setting. This change aims to strike a balance between the increased usability of universal BPF whilst also protecting the system against attackers who would aim to abuse this feature for their own gain, overall making Ubuntu 21.10 more secure against this type of attack.
Improved static analysis with GCC 11
Ubuntu is widely recognised as the most popular Linux distribution for developers and is used by development teams in more than 100 countries across a wide array of industries to build world-leading applications and services. There are many reasons why developers choose Ubuntu, including unparalleled hardware and software support, familiarity of a common platform between development and production environments and the long term support offered by Canonical. However, another additional benefit includes the ability for developers to ship more secure code by using Ubuntu as their development platform. Ubuntu 21.10 includes the latest release of GCC, the venerable and defacto C/C++ compiler. GCC 10 introduced the ability to run more intensive static analysis checks during compilation via the -fanalyzer command-line option. In GCC 11, additional checks have been added to detect defects such as trying to modify string literals, or trying to shift a type by a value greater than it can represent and hence causing an overflow. By developing on Ubuntu 21.10 and enabling the use of these features, developers can detect and hence ship more secure code by using Ubuntu as their development platform of choice.
In all, the range of security features and additional hardening measures implemented in Ubuntu 21.10 make it the most secure Ubuntu release to date. They also feed into the development of Ubuntu 22.04 LTS, the next long-term supported release of Ubuntu. Security updates and kernel livepatching for 22.04 LTS will both be provided for ten years via an Ubuntu Advantage subscription, continuing the benchmark of Ubuntu LTS releases serving as the most secure foundation on which to both develop and deploy Linux applications and services.