Operating system security is the upper bound of your application security
Meet Pal. Pal is a senior developer working at PalBank. For the next 6 months, Pal will be responsible for leading the development of the bank’s web application client, which will be used daily by millions of customers.
Pal invests considerable effort into designing and implementing the most secure app reasonably achievable: tightly controlled and secure development, build and deployment pipelines, static code analysis, pen-testing by external parties, multi-factor authentication to access the app and encrypting data at rest. And the list goes on!
Pal’s the best, isn’t he? Unfortunately, while such efforts are essential, they are insufficient! And even if we assumed, for the sake of argument and humour, that the PalBank’s client web app is completely free of all known and unknown software vulnerabilities, the app’s security guarantees are bound to be threatened once consumers run it on their endpoint devices.
They will be threatened by the millions of lines of code which comprise the platform’s privileged system software if it becomes either malicious or compromised. Within this context, system software includes the operating system, virtual machine manager and all the platforms’ firmware embedded within.
To put it differently, it matters little if a user chooses a perfectly strong unique password, when their operating system is infected with a keylogger leaking it to malicious third-parties. Similarly, it matters little if your code has no buffer overflows, if your operating system is backdoored and simply decides to leak all your customers’ data to malicious third parties.
So why does the security of user-level applications depend on the security of its underlying system software?
The reason is the hierarchical architecture of commodity devices: privileged system software gets unrestricted access to all the resources of unprivileged user-level applications, because it controls its execution, memory, and access to the underlying hardware. Indeed, it’s a feature, not a bug!
Therefore, it’s extremely important to consider the state of security of the operating system of end point devices, and to use the most secure operating system possible.
Enter Linux
Linux refers to a group of operating systems which are built from open-source software and the Linux kernel, bundled together into a Linux distribution. In 2004, Mark Shuttleworth founded Canonical to produce the Ubuntu distribution, and Canonical has published a new Ubuntu release every 6 months since then.
Open source means that the software is published with a licence that allows anyone to look at the source code, modify and distribute it as they wish. It’s typically developed in a collaborative fashion by coders from around the world. There are numerous variations of open-source licences, but they all generally permit this model of open collaboration and distribution.
Linux is equally at home powering a laptop as running a mission-critical application in the cloud or on your servers. The Linux kernel is the beating heart of the operating system, but it runs behind the scenes – all the applications that we use every day, such as a web browser, email program, card games, developer tools etc, run on top of the kernel.
They are developed by separate groups, and then it’s up to a publisher like Canonical to bundle all the software that people might need together into a single secure linux distribution; Ubuntu provides many thousands of the most popular applications and software packages in the latest Jammy Jellyfish release.
A new version of Ubuntu is released every 6 months, in April and October, with a friendly name (e.g. Bionic Beaver) and a release number reflecting the year and month it was produced. Every two years, the April release is designated a Long Term Support version, which means that Canonical will provide updates and security fixes for software packages for 5 years. Canonical has been supporting Ubuntu in this way since 2004.
Ubuntu is published in 3 editions: Desktop, Server, and Core (for IoT devices and robots). Over 3 million people run Ubuntu Desktop and over 100,000 new Ubuntu instances are launched every single day in the public cloud.
What about security?
A security vulnerability is a software flaw or bug that can be exploited to allow an adversary to gain unintended access to a system or to harm its operation in some way. Security vulnerabilities are an unavoidable fact of life, but it’s how we deal with them that makes all the difference. No software system is immune from security vulnerabilities, and every software system we use today needs to be kept up-to-date with the latest fixes.
In the open source world we can be fully transparent about which issues have been fixed and when, because the source code is open to inspection for everyone. The vast majority of security vulnerabilities are discovered by researchers who study software and report issues in order to fix them and improve the software for everybody.
They operate using a responsible disclosure model, where the researcher reports the vulnerability to the software publisher who then has enough time to implement a fix for the issue and release an updated version of the software before the researcher tells the world about the vulnerability.
Not everybody operates like this though, and there are some malicious actors who discover vulnerabilities to keep for their own nefarious purposes, or to sell to others for use in “zero-day” attacks (so called because the software developer has had zero-days notice to fix the issue and release a patch).
Patching known vulnerabilities
How can known vulnerabilities harm you? After all, if we know about a security gap and the patch which is guaranteed to resolve it is available, surely everyone would immediately patch their affected systems. Right? Unfortunately, that is far from reality! In a report published in Verizon 2022, only 25% of the scanned organisations were found to patch known vulnerabilities within two months of their public disclosure.
But why would someone willingly and knowingly leave their organisation vulnerable to cyber attacks? Once more, the answer lies in the eternal tension between security and usability. Ask any system administrator, and they will tell you that the unscheduled work it takes to patch vulnerabilities is time-consuming, expensive and sometimes just impossible because they need to keep the server up and running.
Livepatch: patch your kernel while it is running
Ask these same administrators again, and they will also tell you that they would love a solution which would allow them to patch vulnerabilities while the system runs without requiring a reboot. Problem solved! For the Ubuntu kernel, this is precisely what Livepatch offers.
Livepatch allows you to patch the kernel’s critical and high severity vulnerabilities at run time. Given that the latter account for 40% of all high and critical vulnerabilities, Livepatch will bring your organisation quantifiable benefits and an unmatched return on investment for the ultimate secure Linux deployment.
“Livepatch is a perfect fit for our needs. There’s no other solution like it, and it’s highly cost-effective. Manually migrating virtual machines, applying kernel updates, and rebooting took an average of 32 hours per server. Multiplied by 80 servers, that was more than 2,500 hours of work.”
Shinya Tsunematsu, Senior Engineering Lead of Tech Division, GMO Pepabo
Read the GMO Pepabo case study ›?
An extra security advantage
But what about your other non-kernel, business-as-usual vulnerabilities that are not covered by Livepatch? This is precisely where the Canonical ecosystem shines! With each Ubuntu Long Term Support (LTS) release, you always benefit from 5 years of standard security maintenance for the base OS, critical software packages and infrastructure components.
And if for any reason you cannot upgrade to the next LTS release after 5 years, you can use Canonical’s Expanded Security Maintenance in order to remain secure for a total of 10 years. This is available through an Ubuntu Pro subscription with a free licence available for personal use.
This innovative approach provides not only a compelling security value proposition, but an equally compelling business one.
Pal can first hand tell you how this has allowed him to enable a secure Linux ecosystem for Palbank, and do away with the usual maintenance burden. Because he doesn’t have to worry anymore about scanning, applying, and testing the latest upstream security updates, he can spend all the time he needs to deliver the best bank application for his customers, and even squeeze in a vacation or two in between
What about unknown threats?
If we know about a security vulnerability then we can patch it, but what about the times when an attacker is using an exploit that hasn’t been fixed yet? This is where the Ubuntu ecosystem helps.
The nature of open-source software means that it’s much harder for bad actors to insert back doors into software. The source code is freely available for everyone to read, and Canonical reviews and monitors the code for each package that’s included in Ubuntu, meaning that you can install all the software you need from one trusted source, backed by Canonical’s decades-long track record of patching and support, without resorting to downloading random pieces of code from the internet.
Another benefit of using Ubuntu packages is that all the code that Canonical compiles into packages is configured to use the latest compiler security countermeasures. These compiler options focus on memory protection checks and help to ensure that the software is hardened against in-memory attacks, such as buffer overflows and heap corruption, which have plagued native code for many years.
Ubuntu is configured to be secure by default. A fresh installation of Ubuntu Desktop does not open up any network ports that could be abused by an attacker, and has a firewall already enabled. In order to limit the potential damage from unknown attacks, Ubuntu uses AppArmor, which is a sandboxing mechanism built into the Linux kernel that sets predefined constraints on what applications are allowed to do on the system.
So, for example, if a malicious website tried to exploit a vulnerability in the Firefox browser, AppArmor would prevent the exploit code from compromising the whole system.
So, is Linux secure?
The Linux kernel and its entire ecosystem of operating system distributions are built around the values of openness, transparency, agility and trustworthiness. These values are what lay the foundation for modern software security that Canonical builds upon!
Because Ubuntu stands on the shoulders of giants, it could afford to look around and listen to what modern enterprises need: enterprise-grade security maintenance and support, reliably delivered day in and day out by a robust commercial entity, that you can trust to be your digital partner, today and tomorrow.
What millions of customers, and Pal, have figured out, is that the Ubuntu LTS release with an Ubuntu advantage subscription and LivePatch enabled, is the most reasonably secure Linux OS you can bet on! This is why they continue choosing Canonical Ubuntu, everyday, to power their desktops, IoT devices, data centres and public cloud workloads.
More resources
- Linux Security: your questions, answered
- Do you need a certified Ubuntu?
- Ubuntu: What’s the security story?
- What about Confidential Computing
- What’s new in Security for Ubuntu 22.04 LTS?