Fully agreed with you there. I also dislike the culture of treating
security vulnerabilities as "just another bug." I feel there's some
form of newspeak with regards to security and the Linux kernel. There
is indeed a formalized method to report security-related bugs to the
Linux kernel (emailing security _AT _ kernel _DOT_ org). Yet Linux
developer culture says "all bugs are bugs, regardless of security
impact. A security bug is just another bug."
In this increasingly digital information age, it would be well to
differentiate security versus errata bugs.
I also wonder about stigma regarding introduction of vulnerable code.
We're all humans--we make mistakes from time to time. Our eyes get
tired and we sometimes forget to check a NULL pointer, or sometimes we
forget that +1 for NUL character string termination. I sometimes
wonder whether Linux's culture of treating security bugs as
non-important is due to stigma. Thoughts?
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
This is possibly true, although an Android vs iOS
comparison here might be
more apt, from a technical perspective? But what Brad truly nails in his
talk is an overarching culture around the process of Linux kernel
development that is decidedly non-optimal when it comes to security.
For example, when proposing security features, a healthy community would
take a suggested patch and debate "What were you trying to accomplish? What
is the best way to implement that?" and the Linux community instead has a
series of formatting gateways, and then a rejection. (According to the talk
- I am not a Linux kernel dev).
Debating security boundaries and threat models is a sign of a healthy
community, especially in a structured, non-confrontational way.
-dave
On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb(a)hardenedbsd.org>
wrote:
> On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave wrote:
> >
https://www.youtube.com/watch?v=F_Kza6fdkSU
> >
> > So I wanted to highlight this talk from Brad Spengler about the state of
> > Linux security. It's a damning report if you read even a little bit
> between
> > the lines. And on many levels. As Halvar points out, Android deliberately
> > avoided investing what they knew they needed to invest in platform
> security
> > in the effort to gather significant early market share, even knowing it
> > would harm their user-base in a multitude of ways.
> >
> > And this kind of philosophical trade off taken by companies filters into
> > the Linux security ecosystem, creating Ogres of various sorts, like
> > Calamity Gannon's corruption of various parts of Hyrule. For example,
> > phones often run on an older Linux kernel, which means there is economic
> > incentive to backport features and security fixes to those kernels, or
> > pretend you can.
> >
> > Likewise, much of the effort of the Linux security community is focused
> on
> > KASLR, which Brad points out, is largely a waste of time.
> >
> > He also talks about Syzkiller, automated exploit generation, and a host
> of
> > other things. Well worth a listen!
>
> It's also hard to innovate without a userland that is tightly
> integrated with the kernel (like the BSDs). On the BSD side, we're
> able to ship an entire ecosystem with exploit mitigations applied
> because a basic userland is shipped and integrated with the kernel.
>
> The way in which the BSDs are structured enables innovation across the
> entire ecosystem. We at HardenedBSD are able to test and deploy
> exploit mitigations across the base operating system in addition to
> 33,000+ packages.
>
> In addition to Brad's observations, I opine that the fragmentation of
> Linux has provided a net decrease in security posture.
>
> --
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>
> GPG Key ID: 0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
>
>
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
>