Kees Cook is the security engineer and Gerry Carr is the head of platform marketing at Canonical. In this interview they discuss the security improvements in Ubuntu 9.10, the security challenges the Ubuntu team faces as well as what the latest version of Ubuntu offers to the developer community.

What are the most notable security features introduced with Ubuntu 9.10?

The widest-reaching change was the introduction of non-executable memory emulation for Ubuntu systems that lack non-exec hardware. Modern CPUs allow regions of memory to be marked as "non-executable", like the stack and heap. This puts a stop to large classes of vulnerability exploits. For systems that do not have it (or do not run in 64bit mode), Ubuntu's kernel now includes a partial form of this, emulated in the kernel by way of memory segment limits.

AppArmor saw several improvements this cycle, and had several more profiles created including ntpd, evince, and libvirt. Additionally, experimental profiles (available for testing) were created for Firefox and Apache. The libvirt integration provides even more isolation for virtual machines running under Ubuntu.

More applications were built as Position-Independent Executables, allowing them to take full advantage of the kernel's Address Space Layout Randomisation. Additionally, the PIE applications have been built with linker flags that reduce the areas within the application that can be subverted by attackers.


Other improvements include the Uncomplicated Firewall being enhanced to add interface and egress filtering, and the kernel now provides a one-way sysctl toggle that can block further module loading.

Since threats evolve quickly, what kind of challenges does this pose to the Ubuntu developer and security teams?

While much of the regular Linux security landscape is understood (e.g. permissions/role separation, firewalls, memory corruption, encryption), many technologies are still relatively young (e.g. virtualisation, cloud computing). Our team's challenges arise from testing these new technologies and looking for design flaws and security bugs.

As with any system, the largest challenge is mitigating design flaws. When a class of security vulnerabilities emerge based on a technological design issue, it can be tricky to find the right solution that does not unduly inhibit usability and then to also backport these changes to earlier stable releases.

Luckily, defenses are evolving quickly too. With more Mandatory Access Control systems being made available (e.g. SELinux, AppArmor, TOMOYO, SMACK), more work being done on capabilities, and better confinement and namespace separation, there will be more tools available to help stop vulnerabilities from getting very far.