The document outlines the security measures for openSUSE, managed by a dedicated security team, detailing processes for addressing vulnerabilities before and after releases. It discusses various automated checks, reviews for new technologies, and ongoing efforts to enhance system security through compiler checks and auditing. Additionally, it emphasizes community involvement in maintaining security through updates and reporting security-related issues.

1. Security and openSUSE
securing the tumbleweed
Marcus Meißner
Technical Project Manager Security
meissner@suse.de

2. 2
Overview
• The Team
• Security after releases
• Security before releases
‒ Before check-in
‒ Automations

3. 3
The MaintenanceSecurity Team
Thomas Biege: Manager
Security people:
Andreas Stieger
Marcus Meissner
Sebastian Krahmer
Victor Pereira
Alexander Bergmann
Johannes Segitz

4. 4
Security for openSUSE releases
Tracking & Coordination
Timeline: for 2 openSUSE releases & 2 months life time
Bugzilla “SUSE Security Incidents” product
“VUL-x: CVE-xxxx-yyyy: package: short summary”
VUL-0, VUL-1, VUL-2 prefixes

5. 5
Security for Tumbleweed
Multiple parts:
• Fixing security issues – usually by maintenance
update
• Reviewing all the new things
• New technologies and automatisms

6. 6
Reviews
• Users used for privilege seperation
• Root can do everything
• Lots of helper methods user → root
• Desktop user should not be root by default
→ We need to review all transition paths

7. 7
Allowing new DBUS and PAM modules
rpmlint direct checks:
• DBUS services
• PAM module files
• (New users and groups)
Open a bug for Security (Category Security, or assign
to security-team@suse.de), use AUDIT-0 tag

8. 8
Policykit policies access rights to DBUS services
Various access checking rights:
• No, Yes, auth_admin, auth_self
Depending on context:
• active session, inactive session, other users.
Handled in polkit-default-privs package, checked by
rpmlint.
Open an AUDIT-0 bug if shown in rpmlint output.
Allowing new policykit rules

9. 9
Approving new setuid/setgid things
brp-permissions finds:
• New setuid binaries
• New setgid/setuid directories
• World writable directories
Approval handled in permissions package, also via
AUDIT-0 bugs.
.spec files need adjustments to add setting / verification
of permissions.

10. 10
Starting daemons by default
Systemd uses “presets” for auto starting services on
boot.
These presets live in systemd-presets-branding-
openSUSE
Maintained by the security team, we review the
submitrequests.
Goal: keep set minimal

11. 11
Auditing – no magic silver bullet
• Manual work
• Needs experience
• Helper tools
• 1 – 2 per week/engineer
• Look at specific parts only

12. 12
Automation and technologies
Security technologies for improving system security
Integration criteria:
• Status
• Number of false positives / negatives
• Ease of integration to Tumbleweed
• Performance & Usability

13. 13
Compiler checks - FORTIFY_SOURCE
Lightweight buffer overflow checking, consists:
• Compile time warnings
• Runtime aborts
Utilized for glibc standard functions like strcpy, memcpy,
and similar which get buffers.
CPPFLAGS=”-D_FORTIFY_SOURCE=2”
Default for several years.

14. 14
Compiler checks - -fstack-protector
Heuristic stack overflow detection
Uses a random stack “canary” that is checked on
function exit.
To enable:
CFLAGS += “-fstack-protector” (-all , -strong)
Status: enabled for several years

15. 15
Adress Space Layout Randomization
Randomize all the address space!
Stack, libraries, mmaps, vdso: for quite some years
Main binary and heap: Need to build with “PIE” mode.

16. 16
Future: Build Factory with PIE
Selected packages are built with PIE support enabled
already.
Enable: CFLAGS+=”-fPIE” LDFLAGS+=”-pie”
Enable all the packages!
Status: WIP in openSUSE:Factory:Staging:PIE

17. 17
Apparmor and SELinux
Apparmor:
• Well integrated for years
• Suited only for server scenarios
SELinux
• Tools present
• No well working policies at this time
• complex

18. 18
Future: Enable Address Sanitizer
Newer compilers have “Sanitizer” modules for dynamic
runtime checking modes.
AddressSanitizer: Reliable array overflow checking.
Enable: CFLAGS+=”-fsanitize=address”
Status: Evaluated by Victor Pereira

19. 19
Future: Other sanitizers
• ThreadSanitizer: -fsanitize=thread
New with GCC 5:
• UndefinedBehaviourSanitizer (-fsanitize= … )
‒ Float-divide-by-zero
‒ Float-cast-overflow
‒ Bounds
‒ Alignment
‒ Object-size
‒ Vptr
• Pointer Bounds Checker (-fcheck-pointer-bounds)

20. 20
Fuzzers - AFL
AFL (American Fuzzy Lop)
Developer tool, not for common usage
Optimized for speed of execution and enhancing coverage
Fuzzing sample:
• Fileformats
• Other direct data input (even TLS)

21. 21
How can you help?
• Install online updates!
• If you see something security related, speak up.
‒ (if it has a CVE id we probably know it already though)
• Program securely
• Help fix security issues for openSUSE!