Alpine Linux security mission

class: center, middle

<img src='data:image/svg+xml;utf8,<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" version="1.1" width="665.2" height="161.8" xml:space="preserve"><style>.s0{fill:#0d597f;}</style><defs><clipPath clipPathUnits="userSpaceOnUse"><path d="M0 560 960 560 960 0 0 0 0 560z"/></clipPath></defs><g transform="matrix(1.25,0,0,-1.25,-267.55675,592.22537)"><g transform="translate(686.7844,397.9583)" fill="#0d597f"><path d="m0 0c-3.7 6.4-3.7 19.4 0 26.2 1.6 3 6.6 9.6 28.4 9.6 4.5 0 7.7-0.2 10.1-0.6 5.3-0.7 9.3-2.5 9.3-7.4 0-6.5-9.6-6.5-9.6-6.5l-20.3 0C9.4 21.2 8.7 9.3 8.7 9.3l9.2 0 20.4 0c10.4 0 21.1 4.6 21.1 18.3 0 9-5.2 15.1-13.7 17.5-8.5 2.3-11.8 2.2-23.4 2C13 46.8 7.7 44.8 4.3 43.8-1.6 41.9-6.9 38.4-10.5 32-16.3 21.4-16.2 4-10.4-6-4.1-16.8 6.7-22.6 19.7-22.6l39.7 0 0 11.9-39.7 0C8.2-10.7 2.6-4.4 0 0" fill="#0d597f"/></g><g transform="translate(441.9298,442.9648)" fill="#0d597f"><path d="m0 0c-10.5 5.8-27.9 5.8-38-0.1-14.4-8.4-19.8-24.8-14.6-43.9 2.7-9.8 10-17 21-20.9 7.8-2.7 15-2.8 15.3-2.8l0 12c-0.2 0-20.8 0.3-24.8 14.8-5.2 18.8 3.5 27 9.1 30.3 6.4 3.7 19.4 3.7 26.2 0 7.2-4 7.7-12.3 7.7-25.5l0-24.4c0-8.6 12-9.2 12-9.2l0 9.2 0 24.4c0 12.6 0 28.3-13.9 36" fill="#0d597f"/></g><g transform="translate(597.6101,375.3665)" fill="#0d597f"><path d="m0 0 0 37.4c0 13 5.8 23.8 16.6 30.1 10.1 5.9 27.5 5.9 38 0.1 13.9-7.7 13.9-23.4 13.9-36l0-24.3 0-9.2c0 0-12 0.6-12 9.2l0 24.3c0 13.2-0.5 21.5-7.7 25.5C42 60.9 29 60.9 22.6 57.1 18.2 54.6 11.9 48.9 11.9 37.4l0-37.4L0 0z" fill="#0d597f"/></g><g transform="translate(579.8309,375.3661)" fill="#0d597f"><path d="m0 0 0 47.6 0 9.2c0 0 11.9-0.7 11.9-9.3L11.9 0 0 0z" fill="#0d597f"/></g><g transform="translate(591.7351,443.8518)" fill="#0d597f"><path d="m0 0 0-2 0-9.2c0 0-11.9 0.7-11.9 9.3L-11.9 0 0 0z" fill="#0d597f"/></g><g transform="translate(519.3928,442.6805)" fill="#0d597f"><path d="m0 0c10.5 5.8 27.9 5.8 38-0.1 14.4-8.4 19.8-24.8 14.6-43.9-2.7-9.8-10-17-21-20.9-7.8-2.7-15-2.4-15.3-2.4l0 11.9c0.2 0 20.8 0.1 24.8 14.6 5.2 18.8-3.5 27-9.1 30.3-6.4 3.7-19.4 3.7-26.2 0-7.2-4-7.7-12.3-7.7-25.5l0-12.6c0-8.6-12-9.2-12-9.2l0 9.2 0 12.6c0 12.6 0 28.3 13.9 36" fill="#0d597f"/></g><g transform="translate(517.3693,344.6278)" fill="#0d597f"><path d="m0 0 0 30.5 0 9.2c0 0-11.9-0.7-11.9-9.3L-11.9 0 0 0z" fill="#0d597f"/></g><g transform="translate(473.349,473.7803)" fill="#0d597f"><path d="m0 0 0-32.4 0-9.2c0 0-11.9 0.7-11.9 9.3L-11.9 0 0 0z" fill="#0d597f"/></g><g transform="translate(474.9603,402.1447)" fill="#0d597f"><path d="m0 0c-1 3.8-1.5 7.1-1.6 10.1l0 10.3c0 8.6-11.9 9.2-11.9 9.2l0-9.2 0-10.2c0-4.2 0.7-8.7 2-13.3 2.7-9.8 10-17 21-20.9 7.8-2.7 15-2.7 15.3-2.7l0 11.9C24.5-14.8 4-14.5 0 0" fill="#0d597f"/></g><g transform="translate(268.1394,393.2718)" fill="#0d597f"><path d="M0 0 0 15.7-11.3 4.4C-10.1 3.5-8.9 2.8-7.9 2.3-6.8 1.7-5.8 1.3-4.8 0.9-3.9 0.6-3 0.4-2.2 0.2-1.4 0.1-0.7 0 0 0m57.8 1.3c0 0 0.1-0.1 0.3-0.2 0.2-0.1 0.5-0.3 0.9-0.5 0.4-0.2 0.9-0.3 1.5-0.4 0.6-0.1 1.3-0.2 2.1-0.2 0.7 0 1.4 0.1 2.2 0.2 0.8 0.1 1.7 0.4 2.6 0.7 1 0.3 2 0.8 3.1 1.3 1.1 0.6 2.3 1.3 3.5 2.1L65.4 12.7 37 41.2 24.5 28.8 7.7 46.1-34.5 4.4c1.2-0.9 2.4-1.6 3.5-2.1 1.1-0.6 2.1-1 3.1-1.3 1-0.3 1.8-0.6 2.6-0.7 0.8-0.1 1.6-0.2 2.2-0.2 0.8 0 1.5 0.1 2.1 0.2 0.6 0.1 1.1 0.3 1.5 0.4 0.4 0.2 0.7 0.3 0.9 0.5 0.2 0.1 0.3 0.2 0.3 0.2L0.8 20.4 7.6 26.9 26.5 8.1 33.1 1.3c0 0 0.1-0.1 0.3-0.2 0.2-0.1 0.5-0.3 0.9-0.5 0.4-0.2 0.9-0.3 1.5-0.4 0.6-0.1 1.3-0.2 2.1-0.2 0.7 0 1.4 0.1 2.2 0.2 0.8 0.1 1.7 0.4 2.6 0.7 1 0.3 2 0.8 3.1 1.3 1.1 0.6 2.3 1.3 3.5 2.1L34.2 19.2 37 22 50.1 8.9 57.8 1.3M57.6 80.3 94.8 15.8 57.6-48.6l-74.5 0-37.2 64.5 37.2 64.5 74.5 0z" fill="#0d597f"/></g><g transform="translate(302.5041,412.251)" fill="#0d597f"><path d="M0 0-9.9 9.9-9.2 10.6 0.8 0.7 0 0z" fill="#0d597f"/></g><g transform="translate(528.4338,353.235)" fill="#0d597f"><path d="m0 0 0 22.2-2 0L-2 0c0-4.3 3.4-8.9 12.8-8.9l15.3 0 0 2-15.2 0C0.8-6.9 0-1.6 0 0" fill="#0d597f"/></g><path d="m561.1 344.4 2 0 0 22.8-2 0 0-22.8zM561.1 368.4l2 0 0 3-2 0 0-3z" fill="#0d597f"/><g transform="translate(664.6232,367.1373)" fill="#0d597f"><path d="m0 0-2.6 0-8.5-9.9-8.5 9.9-2.6 0 9.8-11.4-9.7-11.4 2.6 0 8.4 9.8 8.4-9.8 2.6 0-9.7 11.4L0 0z" fill="#0d597f"/></g><g transform="translate(634.3527,353.11)" fill="#0d597f"><path d="M0 0C0-0.7-0.4-6.8-13.1-6.8-25.6-6.8-26-0.7-26 0l0 14-2 0L-28 0c0-0.9 0.4-8.8 14.9-8.8C1.6-8.8 2-0.9 2 0l0 14-2 0L0 0z" fill="#0d597f"/></g><g transform="translate(584.7756,367.1373)" fill="#0d597f"><path d="m0 0c-14.6 0-15.1-7.9-15.1-8.8l0-14 2 0 0 14c0 0.7 0.4 6.8 13.1 6.8 12.6 0 12.9-6.1 12.9-6.8l0-14 2 0 0 14C14.9-7.9 14.5 0 0 0" fill="#0d597f"/></g></g></svg>'>

### Small. Simple. <b>Secure</b>

Natanael Copa (@n_copa)

natanael.copa@docker.com

---

### Original design goal

- to run diskless
- install from scratch to ram-disk (tmpfs) at bootup.

### Usecases
- router, firewall, vpn, proxy, voip

### Later also

- containers (Docker FTW!), servers, desktop?

---

### Small

- reduces attack surface (Docker images: ubuntu=120MB, alpine=4MB)

### Simple

- don't install/start things unless explicitly asked for
- reduced complexity leads to fewer bugs

### Secure

- Hardened kernel
- Hardened toolchain

---

## Hardened kernel

- Grsecurity/PaX (unofficial fork)
- enforce non-executable pages - PAGEEXEC, MPROTECT, EMUTRAMP
- Address Space Layout Randomizaion (ASLR) - RANDUSTACK, RANDMMAP
- Reuse Attack Protector (RAP)
- Misc memory protections - REFCOUNT, MEMORY_STRUCTLEAK

### More useful with userspace:

- Position Independent Executable (PIE)
- Full Relocation Read-Only (RELRO) -Wl,-z,relro,-z,now

---

## Hardened toolchain

Enabled by default:

- PIE (incl. static)
- -Wl,-z,relro,-z,now
- -fstack-protector-strong
- -DFORTIFY_SOURCE=2

---

## musl libc

> a new standard library . . .
> musl is lightweight, fast, simple, free, and strives to be _correct_ in the
> sense of standards-conformance and safety. - https://www.musl-libc.org/

- clean, modern codease
- small (580kb - 5% of glibc)

---

### "correct in the sense of ... safety"

#### unified libc/libpthread/ldso
- atomic upgrades

#### Thread-local Storage (TLS)
- reserve all storage at time when failure is reportable
- dlclose() is a NOP

#### No utmp/wtmp
- stubs only
- requires suid/sgid to work properly

#### Other examples
- getmntent_r() returns failure instead of truncate lines

---

## What about tracking and fixing CVE's?

- yes we do that
- Effective security shouldn't depend on hoping the "bad guys" don't have early access to vulnerability information

---

## The future

#### in progress

- build in containers
- apk rewrite (implement ideas from TUF, get rid of SHA1)
- better support for safer languages as Go and Rust

#### needs help

- suid executbles (main repo has 32. community has 17)
- automatic testing
- code reviews
- llvm/clang by default (CFI)
- default thread stack size?

---

## Questions?