6 Jul
2020
6 Jul
'20
12:37 p.m.
https://www.youtube.com/watch?v=F_Kza6fdkSU
So I wanted to highlight this talk from Brad Spengler about the state of
Linux security. It's a damning report if you read even a little bit between
the lines. And on many levels. As Halvar points out, Android deliberately
avoided investing what they knew they needed to invest in platform security
in the effort to gather significant early market share, even knowing it
would harm their user-base in a multitude of ways.
And this kind of philosophical trade off taken by companies filters into
the Linux security ecosystem, creating Ogres of various sorts, like
Calamity Gannon's corruption of various parts of Hyrule. For example,
phones often run on an older Linux kernel, which means there is economic
incentive to backport features and security fixes to those kernels, or
pretend you can.
Likewise, much of the effort of the Linux security community is focused on
KASLR, which Brad points out, is largely a waste of time.
He also talks about Syzkiller, automated exploit generation, and a host of
other things. Well worth a listen!
-dave
6 Jul
6 Jul
1:06 p.m.
On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave wrote:
https://www.youtube.com/watch?v=F_Kza6fdkSU
So I wanted to highlight this talk from Brad Spengler about the state of
Linux security. It's a damning report if you read even a little bit between
the lines. And on many levels. As Halvar points out, Android deliberately
avoided investing what they knew they needed to invest in platform security
in the effort to gather significant early market share, even knowing it
would harm their user-base in a multitude of ways.
And this kind of philosophical trade off taken by companies filters into
the Linux security ecosystem, creating Ogres of various sorts, like
Calamity Gannon's corruption of various parts of Hyrule. For example,
phones often run on an older Linux kernel, which means there is economic
incentive to backport features and security fixes to those kernels, or
pretend you can.
Likewise, much of the effort of the Linux security community is focused on
KASLR, which Brad points out, is largely a waste of time.
He also talks about Syzkiller, automated exploit generation, and a host of
other things. Well worth a listen!
It's also hard to innovate without a userland that is tightly
integrated with the kernel (like the BSDs). On the BSD side, we're
able to ship an entire ecosystem with exploit mitigations applied
because a basic userland is shipped and integrated with the kernel.
The way in which the BSDs are structured enables innovation across the
entire ecosystem. We at HardenedBSD are able to test and deploy
exploit mitigations across the base operating system in addition to
33,000+ packages.
In addition to Brad's observations, I opine that the fragmentation of
Linux has provided a net decrease in security posture.
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
5:41 p.m.
This is possibly true, although an Android vs iOS comparison here might be
more apt, from a technical perspective? But what Brad truly nails in his
talk is an overarching culture around the process of Linux kernel
development that is decidedly non-optimal when it comes to security.
For example, when proposing security features, a healthy community would
take a suggested patch and debate "What were you trying to accomplish? What
is the best way to implement that?" and the Linux community instead has a
series of formatting gateways, and then a rejection. (According to the talk
- I am not a Linux kernel dev).
Debating security boundaries and threat models is a sign of a healthy
community, especially in a structured, non-confrontational way.
-dave
On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb(a)hardenedbsd.org>
wrote:
On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel
via Dailydave wrote:
https://www.youtube.com/watch?v=F_Kza6fdkSU
So I wanted to highlight this talk from Brad Spengler about the state of
Linux security. It's a damning report if you read even a little bit
between
the lines. And on many levels. As Halvar points
out, Android deliberately
avoided investing what they knew they needed to invest in platform
security
in the effort to gather significant early market
share, even knowing it
would harm their user-base in a multitude of ways.
And this kind of philosophical trade off taken by companies filters into
the Linux security ecosystem, creating Ogres of various sorts, like
Calamity Gannon's corruption of various parts of Hyrule. For example,
phones often run on an older Linux kernel, which means there is economic
incentive to backport features and security fixes to those kernels, or
pretend you can.
Likewise, much of the effort of the Linux security community is focused
on
KASLR, which Brad points out, is largely a waste
of time.
He also talks about Syzkiller, automated exploit generation, and a host
of
other things. Well worth a listen!
It's also hard to innovate without a userland that is tightly
integrated with the kernel (like the BSDs). On the BSD side, we're
able to ship an entire ecosystem with exploit mitigations applied
because a basic userland is shipped and integrated with the kernel.
The way in which the BSDs are structured enables innovation across the
entire ecosystem. We at HardenedBSD are able to test and deploy
exploit mitigations across the base operating system in addition to
33,000+ packages.
In addition to Brad's observations, I opine that the fragmentation of
Linux has provided a net decrease in security posture.
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
5:57 p.m.
Fully agreed with you there. I also dislike the culture of treating
security vulnerabilities as "just another bug." I feel there's some
form of newspeak with regards to security and the Linux kernel. There
is indeed a formalized method to report security-related bugs to the
Linux kernel (emailing security _AT _ kernel _DOT_ org). Yet Linux
developer culture says "all bugs are bugs, regardless of security
impact. A security bug is just another bug."
In this increasingly digital information age, it would be well to
differentiate security versus errata bugs.
I also wonder about stigma regarding introduction of vulnerable code.
We're all humans--we make mistakes from time to time. Our eyes get
tired and we sometimes forget to check a NULL pointer, or sometimes we
forget that +1 for NUL character string termination. I sometimes
wonder whether Linux's culture of treating security bugs as
non-important is due to stigma. Thoughts?
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
On Mon, Jul 06, 2020 at 04:41:40PM -0700, Dave Aitel wrote:
This is possibly true, although an Android vs iOS
comparison here might be
more apt, from a technical perspective? But what Brad truly nails in his
talk is an overarching culture around the process of Linux kernel
development that is decidedly non-optimal when it comes to security.
For example, when proposing security features, a healthy community would
take a suggested patch and debate "What were you trying to accomplish? What
is the best way to implement that?" and the Linux community instead has a
series of formatting gateways, and then a rejection. (According to the talk
- I am not a Linux kernel dev).
Debating security boundaries and threat models is a sign of a healthy
community, especially in a structured, non-confrontational way.
-dave
On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb(a)hardenedbsd.org>
wrote:
> On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave wrote:
> > https://www.youtube.com/watch?v=F_Kza6fdkSU
> >
> > So I wanted to highlight this talk from Brad Spengler about the state of
> > Linux security. It's a damning report if you read even a little bit
> between
> > the lines. And on many levels. As Halvar points out, Android deliberately
> > avoided investing what they knew they needed to invest in platform
> security
> > in the effort to gather significant early market share, even knowing it
> > would harm their user-base in a multitude of ways.
> >
> > And this kind of philosophical trade off taken by companies filters into
> > the Linux security ecosystem, creating Ogres of various sorts, like
> > Calamity Gannon's corruption of various parts of Hyrule. For example,
> > phones often run on an older Linux kernel, which means there is economic
> > incentive to backport features and security fixes to those kernels, or
> > pretend you can.
> >
> > Likewise, much of the effort of the Linux security community is focused
> on
> > KASLR, which Brad points out, is largely a waste of time.
> >
> > He also talks about Syzkiller, automated exploit generation, and a host
> of
> > other things. Well worth a listen!
>
> It's also hard to innovate without a userland that is tightly
> integrated with the kernel (like the BSDs). On the BSD side, we're
> able to ship an entire ecosystem with exploit mitigations applied
> because a basic userland is shipped and integrated with the kernel.
>
> The way in which the BSDs are structured enables innovation across the
> entire ecosystem. We at HardenedBSD are able to test and deploy
> exploit mitigations across the base operating system in addition to
> 33,000+ packages.
>
> In addition to Brad's observations, I opine that the fragmentation of
> Linux has provided a net decrease in security posture.
>
> --
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>
> GPG Key ID: 0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
>
>
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
>
6:12 p.m.
Linux has too many stakeholders for a sensible equities process to happen
which is why treating everyone poorly (bugs are bugs) is fairer than
coordinating disclosure. In an example, if an earth shattering Linux bug
was to emerge, why would RedHat be in the know while Russian defence
contractors who build their countries’ systems on local Linux distros would
be excluded ?
On Tue, 7 Jul 2020 at 08:09, Shawn Webb via Dailydave <
dailydave(a)lists.aitelfoundation.org> wrote:
Fully agreed with you there. I also dislike the
culture of treating
security vulnerabilities as "just another bug." I feel there's some
form of newspeak with regards to security and the Linux kernel. There
is indeed a formalized method to report security-related bugs to the
Linux kernel (emailing security _AT _ kernel _DOT_ org). Yet Linux
developer culture says "all bugs are bugs, regardless of security
impact. A security bug is just another bug."
In this increasingly digital information age, it would be well to
differentiate security versus errata bugs.
I also wonder about stigma regarding introduction of vulnerable code.
We're all humans--we make mistakes from time to time. Our eyes get
tired and we sometimes forget to check a NULL pointer, or sometimes we
forget that +1 for NUL character string termination. I sometimes
wonder whether Linux's culture of treating security bugs as
non-important is due to stigma. Thoughts?
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
On Mon, Jul 06, 2020 at 04:41:40PM -0700, Dave Aitel wrote:
--
-K
This is possibly true, although an Android vs iOS
comparison here might
be
more apt, from a technical perspective? But what
Brad truly nails in his
talk is an overarching culture around the process of Linux kernel
development that is decidedly non-optimal when it comes to security.
For example, when proposing security features, a healthy community would
take a suggested patch and debate "What were you trying to accomplish?
What
is the best way to implement that?" and the
Linux community instead has a
series of formatting gateways, and then a rejection. (According to the
talk
- I am not a Linux kernel dev).
Debating security boundaries and threat models is a sign of a healthy
community, especially in a structured, non-confrontational way.
-dave
On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb(a)hardenedbsd.org>
wrote:
> On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave
wrote:
> >
https://www.youtube.com/watch?v=F_Kza6fdkSU
state of
>
> > So I wanted to highlight
this talk from Brad Spengler about the > > Linux security. It's a damning
report if you read even a little bit
> between
> > the lines. And on many levels. As Halvar points out, Android
deliberately
> > avoided investing what they knew they
needed to invest in platform
> security
> > in the effort to gather significant early market share, even knowing
it
> > would harm their user-base in a
multitude of ways.
into
>
> > And this kind of
philosophical trade off taken by companies filters > > the Linux security ecosystem, creating
Ogres of various sorts, like
> > Calamity Gannon's corruption of various parts of Hyrule. For example,
> > phones often run on an older Linux kernel, which means there is
economic
> > incentive to backport features and
security fixes to those kernels,
or
> > pretend you can.
focused
>
> > Likewise, much of the
effort of the Linux security community is > on
> > KASLR, which Brad points out, is largely a waste of time.
host
>
> > He also talks about
Syzkiller, automated exploit generation, and a > of
> > other things. Well worth a listen!
>
> It's also hard to innovate without a userland that is tightly
> integrated with the kernel (like the BSDs). On the BSD side, we're
> able to ship an entire ecosystem with exploit mitigations applied
> because a basic userland is shipped and integrated with the kernel.
>
> The way in which the BSDs are structured enables innovation across the
> entire ecosystem. We at HardenedBSD are able to test and deploy
> exploit mitigations across the base operating system in addition to
> 33,000+ packages.
>
> In addition to Brad's observations, I opine that the fragmentation of
> Linux has provided a net decrease in security posture.
>
> --
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>
> GPG Key ID: 0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
>
>
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha…
>
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org
1390
days inactive
1391
days old
dailydave@lists.aitelfoundation.org
4 comments
3 participants
participants (3)
-
Dave Aitel -
Konrads Smelkovs -
Shawn Webb