Canonical Ubuntu 22.04 LTS is the latest long term support release of Ubuntu, one of the world’s most popular Linux distributions. As a Long Term Support release, Ubuntu 22.04 LTS will be supported for 10 years, receiving both extended security updates and kernel livepatching via an Ubuntu Advantage subscription (which is free for personal use). This continues the benchmark of Ubuntu LTS releases serving as the most secure foundation on which to both develop and deploy Linux applications and services. In this blog post, we take a look at the various security features and enhancements that have gone into this new release since the Ubuntu 20.04 LTS release. For a more detailed examination of some of these features, be sure to check out the previous articles in this series which cover the improvements delivered across each interim release of Ubuntu in the past 2 years between 20.04 LTS and 22.04 LTS.
Optimised Linux kernels
Ubuntu 22.04 LTS introduces optimised kernel versions for different platforms. For OEM certified desktop devices, the upstream v5.17 kernel is used as the baseline, whilst all other desktop and server platforms are based on the v5.15 kernel. A huge number of changes and security enhancements have gone into the Linux kernel since the v5.4 kernel of Ubuntu 20.04 LTS, including:
Hardware specific security enhancements
Intel’s Software Guard eXtensions (SGX) provides hardware-backed secure enclaves which applications can use to either store sensitive data or perform sensitive computation without the risk of interference from untrusted components. Ubuntu 22.04 LTS enables support for this feature, which has been present in Intel processors for a number of years. Whilst for ARM platforms, support for Armv8.5 Memory Tagging Extension is now available on ARM64 devices. This feature aims to prevent memory safety issues by tagging memory addresses with a key that cannot easily be forged, and so preventing common memory safety attacks such as buffer overflows. Userspace processes can now enable memory tagging for chosen memory regions to aid in the prevention of memory corruption attacks. Finally, AMD Secure Encrypted Virtualisation (SEV) is also supported by the KVM virtualisation subsystem, to protect guest virtual machine registers from being accessed by the host operating system.
Generic kernel security enhancements
A number of other generic, platform independent, kernel security features are also available, including both new security features such as core scheduling, as well as various hardening improvements. Since the first instances of microarchitectural side-channel vulnerabilities (ie. Spectre etc) were first discovered over 4 years ago, developers have been working on a means for processes to control how they get scheduled across Symmetric Multiprocessing (SMT) cores. SMT siblings share CPU hardware resources between themselves, and so it can be quite difficult to avoid various hardware side-channel attacks as a result. Support for core scheduling is now provided, which allows processes to control which threads will be scheduled across SMT siblings and so can allow them to protect sensitive information from leaking to other untrusted processes on the system.
Kernel stack randomisation provides a hardening measure to frustrate attackers wishing to perform memory corruption attacks within the kernel. By placing the kernel stack at a different offset on subsequent system calls, attackers are not able to perform attacks by first leaking a kernel stack address and then subsequently overwriting this memory on a later system call. By closing off this potential attack vector Ubuntu 22.04 LTS provides a more defensive platform against kernel attacks.
The BPF subsystem has also seen a number of security enhancements including restricting its use to only privileged processes by default, as well as including the initial efforts to support signed BPF programs as well. Both of these measures aim to help minimise the chance that this featureful subsystem can be used for attacking the kernel, whilst still allowing it to be used by developers and system administrators alike as needed.
Finally, the inclusion of the new Landlock Linux Security Module provides another mechanism for application sandboxing to go along with the more traditional methods via either AppArmor or SELinux. Landlock allows applications to specify their own policy (and so is more akin to seccomp filters) unlike AppArmor and SELinux which are designed to allow the system administrator to configure global system policies across a range of applications. When combined with LSM stacking, Landlock can be used in conjunction with AppArmor to provide a defence-in-depth approach to application isolation.
Userspace security enhancements
With each new Ubuntu release, there is the opportunity to refresh the range of software packages provided within the Ubuntu archive to their latest upstream releases. Ubuntu 22.04 LTS is no exception, bringing updates to a number of security relevant packages including OpenSSL, OpenSSH, nftables, gcc and even the humble bash shell.
Ubuntu 22.04 LTS ships with the latest major release of the venerable cryptography toolkit, OpenSSL. In OpenSSL 3, many legacy algorithms have been deprecated and disabled by default – including MD2 and DES. These and other deprecated algorithms are instead present in the legacy provider, which can be enabled as needed either via a configuration change or programmatically. By disabling these by default, users and applications are protected against cryptographic attacks against these less secure algorithms.
OpenSSH UX improvements for FIDO/U2F tokens
Another mainstay of the Linux security ecosystem is OpenSSH, providing secure remote shell access to Linux systems. Seven releases of OpenSSH have occurred since version 8.2 was included in the previous Ubuntu 20.04 LTS release, bringing a range of improvements for system administrators, developers and users alike. In particular, the use of U2F/FIDO hardware security tokens has been greatly improved in OpenSSH 8.9, bringing significant user-experience benefits when using these second-factor authentication devices for remote access.
nftables as the default firewall backend
Firewalling on Linux consists of two components – the firewall mechanism within the Linux kernel, and the tools used to configure this from userspace. The Linux kernel has traditionally supported two different subsystems for firewall policies – iptables / xtables and the newer nftables. nftables brings significant benefits both in terms of performance and flexibility when creating and deploying firewall rules, particularly for dual stack IPv4/IPv6 systems. The traditional iptables userspace management tool now configures the nftables kernel backend, whilst the new nft userspace tool is also present to allow the creation of more flexible rules not supported by the traditional iptables paradigm.
GCC 11 and Bash 5.1
GCC 11.2 brings enhanced static analysis capabilities, allowing developers to detect and remediate potential software vulnerabilities and other issues during the development cycle. This includes support for detecting possible use-after-free, NULL pointer dereference, memory leak and unsafe calls from within signal handler conditions. By using Ubuntu 22.04 LTS as the basis for their development platforms, software developers can help ensure the code they write is as correct and defect free as possible.
Developers and systems-administrators alike will also benefit from the inclusion of Bash 5.1. This release of the venerable shell includes native support for improved pseudo-random number generation via the $SRANDOM variable. Unlike the historical $RANDOM variable, $SRANDOM is derived from the kernel’s /dev/urandom secure random source device, ensuring that its output cannot be easily predicted by potential attackers.
Private home directories
Traditionally Ubuntu systems have opted for the convenience of shared access to user’s home directories, supporting use-cases such as shared PCs in university and home environments. However, as the technology landscape has evolved, and Ubuntu has become dominant in other domains such as cloud computing and the internet of things (IoT), a more defensive approach is now deemed necessary to protect users and their data. Ubuntu 22.04 LTS now enables private home directories by default, ensuring that a users data is not accessible to others without their explicit permission.
In total, the range of security improvements in Ubuntu 22.04 LTS makes it the most secure Ubuntu release to date by leveraging and building upon the various other hardening and security features which have long been a core part of Ubuntu. In addition, security updates and kernel livepatching for 22.04 LTS are both provided for ten years via an Ubuntu Advantage subscription, continuing the benchmark of Ubuntu LTS releases serving as the most secure foundation on which to both develop and deploy Linux applications and services.