kASLR incorrectly described as disabled by default in Security/Features

Bug #1912614 reported by lo-na-aleim
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-docs (Ubuntu)
Undecided
Unassigned

Bug Description

According to: https://wiki.ubuntu.com/Security/Features kASLR is disabled by default. Additionally,
it is reported that enabling kASLR will disable the ability to hibernate.

I think that this is no longer true, but I don't want to edit the wiki without clarifying some details.
I discovered the active kASRL when I spun up a qemu vm with Ubuntu 20.04, all defaults and ran volatility3 on a memory dump. On the vm itself the kernel params do not mention kASLR / Kernel hardening:

cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.4.0-58-generic root=UUID=eb6426f9-969b-4ce8-a690-ef87e410d5bf ro quiet splash vt.handoff=7

I also found this somewhere as a supposedly reliable way to tell if kASLR is on:
cat /proc/sys/kernel/randomize_va_space
2

I asked a colleague who runs his ubuntu 20.04 directly on his laptop for his cmdline and randomize_va_space, same results. He said he did not knowingly touch any settings regarding kASLR.

Now, it seems like at some point kASLR became on by default. But I am not really sure whether it still affects hibernation? I can't find anything reliable on the wiki. My colleague is not sure whether he disabled hibernation for different reasons or whether it was disabled in the first place and I don't want to use my vm as reference, since its not necessarily a "typical environment".

Note, the answers here should be updated as well, since checking the kernel params will no longer be reliable. https://askubuntu.com/questions/704640/how-to-detect-in-runtime-is-kaslr-enabled-or-disabled

description: updated
Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

Thanks for your report! However, the ubuntu-docs package is for the Ubuntu desktop guide, and not for that wiki page you mentioned.

I would suggest that you get in touch with members of <https://launchpad.net/~ubuntu-security> to discuss possible changes of the page. I also subscribed that team to this bug report, which possibly will help.

Keeping this bug open for now, even if the "Affects" info is not correct.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the corrections, lo-na-aleim. We've updated the wiki page to reflect the KASLR features as they stand currently.

This wiki page is programmatically constructed: hand edits wouldn't survive in the long run.

Note that the /proc/sys/kernel/randomize_va_space controls whether or not the brk address space within userspace processes should be randomized. Quoting from the Linux kernel source file init/Kconfig:

          Randomizing heap placement makes heap exploits harder, but it
          also breaks ancient binaries (including anything libc5 based).
          This option changes the bootup default to heap randomization
          disabled, and can be overridden at runtime by setting
          /proc/sys/kernel/randomize_va_space to 2.

I don't know off-hand a reliable programmatic tool available to determine that the kernel has booted into a randomized base location, or whether it randomizes memory slabs, etc. The /boot/config* files by convention show the configuration of the kernel, but local administrators may not observe this convention if they replace the kernel.

Thanks

Changed in ubuntu-docs (Ubuntu):
status: New → Fix Released
Revision history for this message
lo-na-aleim (lo-na-aleim) wrote :

Thanks a lot,

Sorry for reaching out in the wrong place. I guess the right place for this would have been the mailing list?
I started from: https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation
Section "How can I help?" gave me the impression that Proof-reading and continuing with "Send in a bug report" (https://help.ubuntu.com/community/ReportingBugs) was the way of communicating errors in the wiki.

Regarding checking the status of kASLR:
I guess someone techy enough to care about kASLR will be able to work with the Solutions provided by @crass here: https://askubuntu.com/questions/704640/how-to-detect-in-runtime-is-kaslr-enabled-or-disabled :)

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

On 2021-01-22 14:09, lo-na-aleim wrote:
> Sorry for reaching out in the wrong place.

No problem.

> I guess the right place for this would have been the mailing list?

Yeah, maybe..

> I started from:
> https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation Section
> "How can I help?" gave me the impression that Proof-reading and
> continuing with "Send in a bug report"
> (https://help.ubuntu.com/community/ReportingBugs) was the way of
> communicating errors in the wiki.

TBH the information about how to point out errors in or discuss various sets of documentation leaves room for improvement. Hopefully we'll find the resources to do something about that going forward.

Revision history for this message
lo-na-aleim (lo-na-aleim) wrote :

> TBH the information about how to point out errors in or discuss various sets of documentation leaves room for improvement. Hopefully we'll find the resources to do something about that going forward.

I actually enjoy writing stuff like that. If you point me to someone with more context whom I can pester with my questions, I will try to carve out the time to write it down. Being an "outsider" might actually give me an advantage here.

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1912614] Re: kASLR incorrectly described as disabled by default in Security/Features

On Fri, Jan 22, 2021 at 01:09:13PM -0000, lo-na-aleim wrote:
> Sorry for reaching out in the wrong place. I guess the right place for this would have been the mailing list?
> I started from: https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation

Actually, thanks for this, I'll amend the script that emits the page to
suggest exactly this -- the mail list, #ubuntu-hardened on
irc.freenode.net, or https://discourse.ubuntu.com/c/security/33

> I guess someone techy enough to care about kASLR will be able to work
> with the Solutions provided by @crass here:
> https://askubuntu.com/questions/704640/how-to-detect-in-runtime-is-kaslr-enabled-or-disabled
> :)

Yes, it's detailed enough that it's bound to be useful for someone who
*really* wants to get into this. :)

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers