Roadmap

Differences between revisions 1 and 91 (spanning 90 versions)
Revision 1 as of 2008-01-30 20:09:18
Size: 34
Editor: c-76-105-157-155
Comment:
Revision 91 as of 2009-07-15 22:22:10
Size: 13984
Editor: pool-71-114-225-43
Comment: add note on community USN
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
[[Include(SecurityTeam/Header)]] <<Include(SecurityTeam/Header)>>

||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>||

== Karmic ==

=== Blueprints ===

 * https://blueprints.launchpad.net/sprints/uds-karmic?searchtext=security-karmic
 * [[karmic-blocking-malware]]

== Documentation ==

 * The Security Team [[SecurityTeam/FAQ| FAQ]] needs to be filled with answers to the various questions Ubuntu gets about security.
 * The Security Team [[SecurityTeam/KnowledgeBase| KnowledgeBase]] need more to be written. Many ideas have already been listed there.

== Investigations ==
Several ideas for possible work come from investigating existing the installed set of packages.

 * [[Security/Investigation/Setuid| setuid]]: which programs are setuid and what may be needed to improve them.
 * measure how many bits of randomness are actually being used in kernel ASLR, compared to other ASLR implementations.
 * review ideas from [[http://brainstorm.ubuntu.com/security/|brainstorm]].

== AppArmor Confinement ==
The following profiles have been identified and prioritized as targets for AppArmor confinement. A number of [[SecurityTeam/KnowledgeBase/AppArmorProfiles|profiles already exist]] and are not included in this list. Please note that a high priority does not indicate a committment to develop the profile during the current development cycle.
 * Top priority
  * libvirt (in progress. See [[https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorLibvirtProfile|AppArmorLibvirtProfile]], https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/388422)
  * ntpd (https://bugs.launchpad.net/bugs/382905)
  * postgresql
  * tomcat (a third party changehat plugin is rumored to exist)
  * apache2 (see [[https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-webservice-profiles|blueprint]])
  * evince ([[http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel/annotate/head%3A/usr.bin.evince|in progress]], https://bugs.launchpad.net/bugs/382913)
  * firefox (See [[https://wiki.ubuntu.com/SecurityTeam/Specifications/AppArmorFirefoxProfile|AppArmorFirefoxProfile]], https://bugs.launchpad.net/bugs/382917)
  * dovecot ([[http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel|in progress]], see [[https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-mail-profiles|blueprint]])
  * amavisd (see [[https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-mail-profiles|blueprint]])
  * postfix (see [[https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-mail-profiles|blueprint]])
 * Secondary priority
  * nmbd
  * winbind
  * spamassassin (spamd)
  * acroread (likely not possible due to constraints of agreement with Adobe)
 * Tertiary priority
  * dnsmasq (possibly P2 due to libvirt (talk to soren))
  * squid (possibly P2 (talk to elmo))
  * awstats
  * analog ([[http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel/annotate/head%3A/usr.bin.analog|in progress]])
  * mailman
  * asterisk (universe)
  * exim4
  * nagios/nrpe
  * openssh-server (not easy, as users can spawn anything)
  * pidgin
  * mail clients (thunderbird, kmail, evolution) -- difficult
  * eog
  * totem
  * skype (likely not possible due to constraints of agreement)
  * ekiga
  * rhythmbox

 * Unspecified priority
  * portmap (low-effort)
  * rpc.statd (low-effort)
  * scripts that people tend to give sudo access. For example: apache2ctl, initscripts
  * munin

<<Anchor(wishlist)>>
== Unscheduled Wishlist Items ==

This area can be used to list ideas for future security work, or link to bugs that describe "Wishlist" issues.

 * more PIE applications
  * xulrunner-1.9, firefox, evince, totem, xserver-xorg, pidgin
   * avoid CPU bound apps
   * Clamav is already contained and is too cpu-bound to use PIE
   * Sasl?
   * Cyrus is too cpu-bound
   * Totem (Gstreamer) - very cpu-bound - needs testing to determine if performance impact is acceptable
   * Vlc (not in main), cpu-bound, but riddled with problems and little maintenance within Ubuntu
  * review MySQL progress on regressions
  * proper PIE-handling in GDB (current patch barely works, upstream wants more correct approach, https://bugs.launchpad.net/bugs/382940)
  * Security team could make available a PPA for PIE testing, and the community could do performance testing
  * possibly add comment in the binary that won't get stripped
 * get default Private home directory set up, even if ecryptfs not in use:
  * https://launchpad.net/bugs/353231
  * internationalization issues, would need to be added to the list of folders that are already translated (xdg)
  * user confusion: Is the private directory encrypted or not?
 * switch (with backward compat) to filesystem capabilities:
  * http://marc.info/?l=linux-security-module&m=123852689416478&w=2
 * find origin of random "screen does not lock" bugs:
  * https://bugs.launchpad.net/bugs/283315 (KDE)
  * https://bugs.launchpad.net/bugs/291712 (KDE)
  * https://bugs.launchpad.net/bugs/296085 (KDE)
  * https://bugs.launchpad.net/bugs/326721 (KDE)
  * https://bugs.launchpad.net/bugs/317995 (Gnome)
  * https://bugs.launchpad.net/bugs/344803 (Gnome)
  * https://bugs.launchpad.net/bugs/338057 (Gnome)
  * https://bugs.launchpad.net/bugs/345026 (Gnome)
  * https://bugs.launchpad.net/bugs/353460 (Gnome)
  * https://bugs.launchpad.net/bugs/355027 (Gnome)
  * https://bugs.launchpad.net/bugs/369359 (Gnome)
  * https://bugs.launchpad.net/bugs/371388 (Gnome)
  * https://bugs.launchpad.net/bugs/385102 (Gnome)
  * https://bugs.launchpad.net/bugs/390989 (Gnome)
  * https://bugs.launchpad.net/bugs/393166 (Gnome)
  * https://bugs.launchpad.net/bugs/394691 (Gnome)
  * https://bugs.launchpad.net/bugs/349427 (XFCE)
  * https://bugs.launchpad.net/bugs/316907 (LXDE)
 * block execution of things lacking execute bit:
  * [[https://launchpad.net/bugs/153438|.desktop]]
  * [[https://launchpad.net/bugs/309214|.exe]]
  * [[https://launchpad.net/bugs/313439|.jar]]
  * [[https://launchpad.net/bugs/364376|shell]]
 * investigate soft nx patch (last remaining execshield feature not in mainline yet)
  * http://cvs.fedora.redhat.com/viewcvs/devel/kernel/linux-2.6-execshield.patch?root=extras&view=log
 * non-exec stack bugs (there are still some programs that have executable stack regions). doing this is only useful when either softnx or PAE-nx are used on 32bit, since 64bit already defaults to a non-exec stack.
  * https://bugs.launchpad.net/ubuntu/+bugs?field.tag=execstack
  * "readelf -l $BIN" shows GNU_STACK with "E".
  * Gentoo write-up of what to do: http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
  * Get Fedora patches upstream where they belong
   * http://cvs.fedoraproject.org/viewcvs/devel/bogl/bogl-0.1.18-noexecstack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/gdk-pixbuf/gtk+-2.2.2-noexecstack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/libdv/libdv-0.104-no-exec-stack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/lightning/lightning-1.2-execstack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/net-tools-1.60-execshield.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/net-tools/netplug-1.2.9-execshield.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/ocaml/ocaml-3.11-dev12-no-executable-stack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/qimageblitz/qimageblitz-0.0.4-noexecstack.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/zip/exec-shield.patch?view=markup
   * http://cvs.fedoraproject.org/viewcvs/devel/mlton/mlton-20070826-no-execmem.patch?view=markup
 * ufw improvements
  * support egress filtering (https://bugs.launchpad.net/bugs/382932)
  * support filtering by interface (https://bugs.launchpad.net/bugs/247450)
  * enable ufw by default (https://bugs.launchpad.net/bugs/382938)
   * new application profiles open by default, but configurable
   * look into things like port 25 if mail-transport-agent is installed
  * network-manager integration (create a new network, open it up)
  * dynamically detect outbound connections and somehow prompt (be careful with desktop DoS!)
  gui to turn on and off, turn on off and application selectors (location? control center applets). Talk to gufw about this
  * D-Bus/policykit integration
 * unified method to ask security questions
 * openjdk-6 testsuite cleanup from default compiler flags (https://bugs.launchpad.net/bugs/330713)
 * approach upstream glibc about futility of fwrite checks when lacking fprintf and fclose checks
 * automated Debian-security fetch/try/build system (mom, ubuntuwire (rcbugs), pitti may have some)
  * Get a report with some debdiffs the security team could review
  * At least open a bug with a failed/fuzzed debdiff that could be used as a starting point for community work
  * https://bugs.launchpad.net/bugs/382945
 * have sudo warn if it is prompting on a non-terminal fd (Debian said won't fix-- investigate, https://bugs.launchpad.net/bugs/56755). Should be forwarded upstream and Ubuntu should not carry a separate patch.
 * sort out bad vt interaction between usplash and other applications (https://bugs.launchpad.net/bugs/104602)
  * corner-case: sulogin with root password and usplash starts
  * other cases?
 * apparmor initscript is too slow (https://bugs.launchpad.net/bugs/382944)
 * package tomoyo userspace (https://bugs.launchpad.net/bugs/382946)
 * more profiles added to apparmor-profiles
 * look into chrooted-packages (as in apt-get install apache-chroot). Special attention on virtual hosting, updating and adding packages and modules. Another option would be to develop an apparmor profile and/or selinux policy.
 * Modify debsecan package to grab CVE reports from USN
 * Extract useful [[/Grsecurity]] patches for the kernel.
 * Modify apt-listbugs package to check package CVE's from USN.
 * Improved use of cryptography integrated well with Ubuntu
  * Encrypted swap by default on all installations
  * eCryptfs + SELinux/AppArmor integration, to protect encrypted data from root
 * Sweeping, static analysis of all of main (then universe)
  * something like bogosec (http://bogosec.sourceforge.net/) to provide numeric source code quality metrics, track over time, use for code review
 * Security Certification / Documentation
  * IBM presentation on work it did certifying RHEL/SLES, stresses open sourced efforts:
   * http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/os-ltc-standards/LWE-Boston-06.pdf
   * http://www-128.ibm.com/developerworks/linux/library/os-ltc-security/
  * RHEL High Level Design document, rewrite for Ubuntu?
   * http://download.boulder.ibm.com/ibmdl/pub/software/dw/library/os-ltc-security/RHEL-4-HL-V2.13.pdf
 * Implement more useful SAK that does not kill a running X server/session (Secure Attention Key: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=blob;f=Documentation/SAK.txt;hb=HEAD). The current SAK implementation closes everything that has /dev/console open, including entire tty7 (graphical display), while the Windows implementation is more useful because there is an option to require Ctrl-Alt-Del prior to entering any log on password (initial log on, re-log on after returning from screensaver, etc.).

== Not Interested ==
 * hardened default config (Bastille-like). Check the compatibility of debian-bastille. '''Status: reviewed. what can be done in a default install is already being done'''

== Community Participation ==
These are some ideas that came out during [[https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-community-growth|the community growth meeting]] at [[UDSKarmic]]:
 * for the SecurityTeam
  * more IRC workshops
  * blog more
  * always participate in Ubuntu Developer Week
  * participate with Hall of Fame or 5-a-day
  * work even more closely with Debian
 * Encourage community involvement:
  * perhaps a "Universe packages of the week?" (only if you are also available (we'll be in #ubuntu-security on ...))
  * some focused event like suspend/resume with kernel team or maybe hug days. This could be done with apparmor profiles ('Apparmor Week')
  * participate with security documentation
  * testing
   * automated test cases could be created for each release (autohotkey for Windows allows to replay GUI actions for testing a PoC)
   * perhaps look into applications to replay actions
  * have a ppa to pull profiles from profile repositories and make them available
  * make testing very easy
   * make-test-tarball is a start, but also need to create VMs easily. vm-tools is a start, but needs to be even easier (maybe grab an image from somewhere...)
  * talk to server team about a survey about features. many of these will likely be security features
 * Disseminating information
  * communicating the security team's needs can be handled (in part) by the community team
  * communication about needed apparmor profiles could be improved
  * maybe talk about what our needs are (eg universe, apparmor profiles, etc)
  * have [[https://launchpad.net/harvest|harvest]] better integrate with security fiexes (talk to dholbach and jorge)
  * focus and ask what is keeping people from adopting Ubuntu
   * we should also identify several areas where we become experts and give all the information-- eg if a salesperson is in front of a potential client and is asked 'tell me about all your logging software' or 'tell me all the ways you handle user credentials and authentication'
 * look into USN-C (community USN) and a way to attach the name of the committer/uploader as a way to increase involvement (though better reputation)

----
CategorySecurityTeam

Karmic

Blueprints

Documentation

  • The Security Team FAQ needs to be filled with answers to the various questions Ubuntu gets about security.

  • The Security Team KnowledgeBase need more to be written. Many ideas have already been listed there.

Investigations

Several ideas for possible work come from investigating existing the installed set of packages.

  • setuid: which programs are setuid and what may be needed to improve them.

  • measure how many bits of randomness are actually being used in kernel ASLR, compared to other ASLR implementations.

  • review ideas from brainstorm.

AppArmor Confinement

The following profiles have been identified and prioritized as targets for AppArmor confinement. A number of profiles already exist and are not included in this list. Please note that a high priority does not indicate a committment to develop the profile during the current development cycle.

Unscheduled Wishlist Items

This area can be used to list ideas for future security work, or link to bugs that describe "Wishlist" issues.

Not Interested

  • hardened default config (Bastille-like). Check the compatibility of debian-bastille. Status: reviewed. what can be done in a default install is already being done

Community Participation

These are some ideas that came out during the community growth meeting at UDSKarmic:

  • for the SecurityTeam

    • more IRC workshops
    • blog more
    • always participate in Ubuntu Developer Week
    • participate with Hall of Fame or 5-a-day
    • work even more closely with Debian
  • Encourage community involvement:
    • perhaps a "Universe packages of the week?" (only if you are also available (we'll be in #ubuntu-security on ...))
    • some focused event like suspend/resume with kernel team or maybe hug days. This could be done with apparmor profiles ('Apparmor Week')
    • participate with security documentation
    • testing
      • automated test cases could be created for each release (autohotkey for Windows allows to replay GUI actions for testing a PoC)
      • perhaps look into applications to replay actions
    • have a ppa to pull profiles from profile repositories and make them available
    • make testing very easy
      • make-test-tarball is a start, but also need to create VMs easily. vm-tools is a start, but needs to be even easier (maybe grab an image from somewhere...)
    • talk to server team about a survey about features. many of these will likely be security features
  • Disseminating information
    • communicating the security team's needs can be handled (in part) by the community team
    • communication about needed apparmor profiles could be improved
    • maybe talk about what our needs are (eg universe, apparmor profiles, etc)

    • have harvest better integrate with security fiexes (talk to dholbach and jorge)

    • focus and ask what is keeping people from adopting Ubuntu
      • we should also identify several areas where we become experts and give all the information-- eg if a salesperson is in front of a potential client and is asked 'tell me about all your logging software' or 'tell me all the ways you handle user credentials and authentication'
  • look into USN-C (community USN) and a way to attach the name of the committer/uploader as a way to increase involvement (though better reputation)

CategorySecurityTeam

SecurityTeam/Roadmap (last edited 2022-01-04 22:38:06 by rodrigo-zaiden)