Dailydave mailing list archives
Re: Brad gets real!
From: Konrads Smelkovs via Dailydave <dailydave () lists aitelfoundation org>
Date: Tue, 7 Jul 2020 08:12:56 +0800
Linux has too many stakeholders for a sensible equities process to happen which is why treating everyone poorly (bugs are bugs) is fairer than coordinating disclosure. In an example, if an earth shattering Linux bug was to emerge, why would RedHat be in the know while Russian defence contractors who build their countries’ systems on local Linux distros would be excluded ? On Tue, 7 Jul 2020 at 08:09, Shawn Webb via Dailydave < dailydave () lists aitelfoundation org> wrote:
Fully agreed with you there. I also dislike the culture of treating security vulnerabilities as "just another bug." I feel there's some form of newspeak with regards to security and the Linux kernel. There is indeed a formalized method to report security-related bugs to the Linux kernel (emailing security _AT _ kernel _DOT_ org). Yet Linux developer culture says "all bugs are bugs, regardless of security impact. A security bug is just another bug." In this increasingly digital information age, it would be well to differentiate security versus errata bugs. I also wonder about stigma regarding introduction of vulnerable code. We're all humans--we make mistakes from time to time. Our eyes get tired and we sometimes forget to check a NULL pointer, or sometimes we forget that +1 for NUL character string termination. I sometimes wonder whether Linux's culture of treating security bugs as non-important is due to stigma. Thoughts? -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc On Mon, Jul 06, 2020 at 04:41:40PM -0700, Dave Aitel wrote:This is possibly true, although an Android vs iOS comparison here mightbemore apt, from a technical perspective? But what Brad truly nails in his talk is an overarching culture around the process of Linux kernel development that is decidedly non-optimal when it comes to security. For example, when proposing security features, a healthy community would take a suggested patch and debate "What were you trying to accomplish?Whatis the best way to implement that?" and the Linux community instead has a series of formatting gateways, and then a rejection. (According to thetalk- I am not a Linux kernel dev). Debating security boundaries and threat models is a sign of a healthy community, especially in a structured, non-confrontational way. -dave On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb () hardenedbsd org> wrote:On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydavewrote:https://www.youtube.com/watch?v=F_Kza6fdkSU So I wanted to highlight this talk from Brad Spengler about thestate ofLinux security. It's a damning report if you read even a little bitbetweenthe lines. And on many levels. As Halvar points out, Androiddeliberatelyavoided investing what they knew they needed to invest in platformsecurityin the effort to gather significant early market share, even knowingitwould harm their user-base in a multitude of ways. And this kind of philosophical trade off taken by companies filtersintothe Linux security ecosystem, creating Ogres of various sorts, like Calamity Gannon's corruption of various parts of Hyrule. For example, phones often run on an older Linux kernel, which means there iseconomicincentive to backport features and security fixes to those kernels,orpretend you can. Likewise, much of the effort of the Linux security community isfocusedonKASLR, which Brad points out, is largely a waste of time. He also talks about Syzkiller, automated exploit generation, and ahostofother things. Well worth a listen!It's also hard to innovate without a userland that is tightly integrated with the kernel (like the BSDs). On the BSD side, we're able to ship an entire ecosystem with exploit mitigations applied because a basic userland is shipped and integrated with the kernel. The way in which the BSDs are structured enables innovation across the entire ecosystem. We at HardenedBSD are able to test and deploy exploit mitigations across the base operating system in addition to 33,000+ packages. In addition to Brad's observations, I opine that the fragmentation of Linux has provided a net decrease in security posture. -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc_______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
-- -K
_______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
Current thread:
- Brad gets real! Dave Aitel via Dailydave (Jul 06)
- Re: Brad gets real! Shawn Webb via Dailydave (Jul 06)
- Re: Brad gets real! Dave Aitel via Dailydave (Jul 06)
- Re: Brad gets real! Shawn Webb via Dailydave (Jul 06)
- Re: Brad gets real! Konrads Smelkovs via Dailydave (Jul 06)
- Re: Brad gets real! Dave Aitel via Dailydave (Jul 06)
- Re: Brad gets real! Shawn Webb via Dailydave (Jul 06)