Your submission was sent successfully! Close

Jump to main content
  1. Blog
  2. Article

Alex Murray
on 27 June 2022

What’s new in Security for Ubuntu 22.04 LTS?

Photo by Gabriel Heinzer on Unsplash

Canonical Ubuntu 22.04 LTS is the latest long term support release of Ubuntu, one of the world’s most popular Linux distributions. As a Long Term Support release, Ubuntu 22.04 LTS will be supported for 10 years, receiving both extended security updates and kernel livepatching via an Ubuntu Advantage subscription (which is free for personal use). This continues the benchmark of Ubuntu LTS releases serving as the most secure foundation on which to both develop and deploy Linux applications and services. In this blog post, we take a look at the various security features and enhancements that have gone into this new release since the Ubuntu 20.04 LTS release. For a more detailed examination of some of these features, be sure to check out the previous articles in this series which cover the improvements delivered across each interim release of Ubuntu in the past 2 years between 20.04 LTS and 22.04 LTS.

Optimised Linux kernels

Ubuntu 22.04 LTS introduces optimised kernel versions for different platforms. For OEM certified desktop devices, the upstream v5.17 kernel is used as the baseline, whilst all other desktop and server platforms are based on the v5.15 kernel. A huge number of changes and security enhancements have gone into the Linux kernel since the v5.4 kernel of Ubuntu 20.04 LTS,  including:

Hardware specific security enhancements

Intel’s Software Guard eXtensions (SGX) provides hardware-backed secure enclaves which applications can use to either store sensitive data or perform sensitive computation without the risk of interference from untrusted components. Ubuntu 22.04 LTS enables support for this feature, which has been present in Intel processors for a number of years. Whilst for ARM platforms, support for Armv8.5 Memory Tagging Extension is now available on ARM64 devices. This feature aims to prevent memory safety issues by tagging memory addresses with a key that cannot easily be forged, and so preventing common memory safety attacks such as buffer overflows. Userspace processes can now enable memory tagging for chosen memory regions to aid in the prevention of memory corruption attacks. Finally, AMD Secure Encrypted Virtualisation (SEV) is also supported by the KVM virtualisation subsystem, to protect guest virtual machine registers from being accessed by the host operating system.

Generic kernel security enhancements

A number of other generic, platform independent, kernel security features are also available, including both new security features such as core scheduling, as well as various hardening improvements. Since the first instances of microarchitectural side-channel vulnerabilities (ie. Spectre etc) were first discovered over 4 years ago, developers have been working on a means for processes to control how they get scheduled across Symmetric Multiprocessing (SMT) cores. SMT siblings share CPU hardware resources between themselves, and so it can be quite difficult to avoid various hardware side-channel attacks as a result. Support for core scheduling is now provided, which allows processes to control which threads will be scheduled across SMT siblings and so can allow them to protect sensitive information from leaking to other untrusted processes on the system.

Kernel stack randomisation provides a hardening measure to frustrate attackers wishing to perform memory corruption attacks within the kernel. By placing the kernel stack at a different offset on subsequent system calls, attackers are not able to perform attacks by first leaking a kernel stack address and then subsequently overwriting this memory on a later system call. By closing off this potential attack vector Ubuntu 22.04 LTS provides a more defensive platform against kernel attacks.

The BPF subsystem has also seen a number of security enhancements including restricting its use to only privileged processes by default, as well as including the initial efforts to support signed BPF programs as well. Both of these measures aim to help minimise the chance that this featureful subsystem can be used for attacking the kernel, whilst still allowing it to be used by developers and system administrators alike as needed.

Finally, the inclusion of the new Landlock Linux Security Module provides another mechanism for application sandboxing to go along with the more traditional methods via either AppArmor or SELinux. Landlock allows applications to specify their own policy (and so is more akin to seccomp filters) unlike AppArmor and SELinux which are designed to allow the system administrator to configure global system policies across a range of applications. When combined with LSM stacking, Landlock can be used in conjunction with AppArmor to provide a defence-in-depth approach to application isolation.

Userspace security enhancements

With each new Ubuntu release, there is the opportunity to refresh the range of software packages provided within the Ubuntu archive to their latest upstream releases. Ubuntu 22.04 LTS is no exception, bringing updates to a number of security relevant packages including OpenSSL, OpenSSH, nftables, gcc and even the humble bash shell.

OpenSSL 3

Ubuntu 22.04 LTS ships with the latest major release of the venerable cryptography toolkit, OpenSSL. In OpenSSL 3, many legacy algorithms have been deprecated and disabled by default – including MD2 and DES. These and other deprecated algorithms are instead present in the legacy provider, which can be enabled as needed either via a configuration change or programmatically. By disabling these by default, users and applications are protected against cryptographic attacks against these less secure algorithms.

OpenSSH UX improvements for FIDO/U2F tokens

Another mainstay of the Linux security ecosystem is OpenSSH, providing secure remote shell access to Linux systems. Seven releases of OpenSSH have occurred since version 8.2 was included in the previous Ubuntu 20.04 LTS release, bringing a range of improvements for system administrators, developers and users alike. In particular, the use of U2F/FIDO hardware security tokens has been greatly improved in OpenSSH 8.9, bringing significant user-experience benefits when using these second-factor authentication devices for remote access. 

nftables as the default firewall backend

Firewalling on Linux consists of two components – the firewall mechanism within the Linux kernel, and the tools used to configure this from userspace. The Linux kernel has traditionally supported two different subsystems for firewall policies – iptables / xtables and the newer nftables. nftables brings significant benefits both in terms of performance and flexibility when creating and deploying firewall rules, particularly for dual stack IPv4/IPv6 systems. The traditional iptables userspace management tool now configures the nftables kernel backend, whilst the new nft userspace tool is also present to allow the creation of more flexible rules not supported by the traditional iptables paradigm.

GCC 11 and Bash 5.1

GCC 11.2 brings enhanced static analysis capabilities, allowing developers to detect and remediate potential software vulnerabilities and other issues during the development cycle. This includes support for detecting possible use-after-free, NULL pointer dereference, memory leak and unsafe calls from within signal handler conditions. By using Ubuntu 22.04 LTS as the basis for their development platforms, software developers can help ensure the code they write is as correct and defect free as possible.

Developers and systems-administrators alike will also benefit from the inclusion of Bash 5.1. This release of the venerable shell includes native support for improved pseudo-random number generation via the $SRANDOM variable. Unlike the historical $RANDOM variable, $SRANDOM is derived from the kernel’s /dev/urandom secure random source device, ensuring that its output cannot be easily predicted by potential attackers.

Private home directories

Traditionally Ubuntu systems have opted for the convenience of shared access to user’s home directories, supporting use-cases such as shared PCs in university and home environments. However, as the technology landscape has evolved, and Ubuntu has become dominant in other domains such as cloud computing and the internet of things (IoT), a more defensive approach is now deemed necessary to protect users and their data. Ubuntu 22.04 LTS now enables private home directories by default, ensuring that a users data is not accessible to others without their explicit permission.

In total, the range of security improvements in Ubuntu 22.04 LTS makes it the most secure Ubuntu release to date by leveraging and building upon the various other hardening and security features which have long been a core part of Ubuntu. In addition, security updates and kernel livepatching for 22.04 LTS are both provided for ten years via an Ubuntu Advantage subscription, continuing the benchmark of Ubuntu LTS releases serving as the most secure foundation on which to both develop and deploy Linux applications and services. 

Related posts

26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...

Alex Murray
20 July 2023

Securing open source through CVE prioritisation

Cloud and server Article

According to a recent study, 96% of applications in the enterprise market use open-source software. As the open source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but ...

19 September 2023

라이브패치(Livepatch)에 새로운 13개월 슬라이딩 지원 기간이 있습니다. 여러분에게 어떤 의미가 있을까요?

Security Security

라이브패치는 시스템을 즉시 재부팅할 필요 없고 런타임에 중요하고 높은 보안 커널 공통 보안 취약성 및 노출(CVE)을 수정하는 유용한 툴입니다. 그러나 정기적인 유지 관리 기간 및 재부팅을 대체하는 용도로 사용해서는 안 됩니다. 좋은 기업 정책에는 시스템이 안정적이고 안전하게 유지되도록 라이브패치와 정기적인 재부팅이 모두 포함되어야 합니다. 그 이유는 펌웨어 또는 장치 드라이버 업데이트와 같은 일부 시스템 CVE는 ...