Reporting Kernel Security Issues

Omniscientist writes "A recent post on KernelTrap details the lkml post by Chris Wright talking about a centralized place to report security issues pertaining to the Linux Kernel and the discussion that was generated by it, including Chris's followup. It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

Good idea?

[lachlan76]

To be honest, I'd rather see any security problems in LKML, than keep them private...a private bug may not be fixed, but when there is a lot of public pressure to get a patch out, if it's not done *FAST* by the developers, someone in the community will do it. This is not the case if it is kept private.

Re:Good idea?

Did you actually read the fine thread? All Chris is doing is creating a single point of contact for security related bugs. The current situation is that bugs are reported randomly to lkml, distros or whereever so some may fall through the net.

A single point of contact is a good thing in my book.

Re:Good idea?

[Exter-C]

I agree with this. Also the whole benefit is that its all open closing it off or making it private may result in all sorts of issues in the future.. (see microsoft's traditionally slow response to security issues.. aka win nuke).

Re:Good idea?

[tibike77]

Well, it's a tradeoff issue... do you prefer that:

a) all bugs get published "public"
- each and every person can snoop around and either help fix it
- or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after)

OR

b) all serious bugs get published "privately"
- only "core contributors" get to see it and try to fix it
- the rest of the population might not even know the bug exists until a patch is released (moreso, you might not even know what the bug was)

Well, I guess (some) people prefer "version B" ;)

Re:Good idea?

[Albinofrenchy]

There is something to be said about keeping it private though. It would be ideal if they could keep it private and fix the bug quickly, just because this doesn't work for other companies doesn't mean they can't pull it off.

Re:Good idea?

[lachlan76]

Well the headline made it seem like it was just a private list so that only the dev guys know about the problems. Now that I've gotten further through the thread it seems that Linus is uhh...strongly opposed to that idea.

But if it's a security problem in the kernel and it gets reported to the vendor currently instead of lkml, what makes you think a single point of contact will be used properly?

Re:Good idea?

[coolcold]

i actually prefer it to be made private....for a particular amount of time before making public.

imagine, making a bug public can let more people solve the bug at the same time but also let hackers to exploit it. Making the bug on the other hand would slow down the patching process abit but systems are less vunerable. The bug won't exist forever in Linux since linux programmer aren't CEO like in M$ where money is their main motivation (which makes their programmer spend more time on features than fixing bugs, leading to bugs not fixed for months). they WILL patch a system asap so this won't be an issue.

However, if the bug is critical, making the bug private for, say a week, before going public would enable the developers to fix the bug. Only if the bug can't be fixed easily then it would be opened for others to help fixing it. This would make the machines in the wild less vunerable and also system patches quickly.

just my 0.02

Re:Good idea?

[lachlan76]

Well personally I prefer A, but that's just me. We've seen how Microsoft have handled option b.

Re:Good idea?

[DrSkwid]

A

so I could
1) fix it myself
or
2) be aware of activity to watch out for should a work around / fix not be available

Amazon use Linux and no doubt have *very* compentent Linux people on the staff, which do you think they would like to see ?

Re:Good idea?

[pe1rxq]

but systems are less vunerable

Nobody knowing about the bug doesn't make is less vulnerable.... It might make it less likely that somebody will abuse it, but the hole is still there.

Keeping it silent only works if you are the only one capable of finding it. It has been shown time after time that that isn't true.

Jeroen

Re:Good idea?

[SpaceLifeForm]

I prefer "A", but that's because I want to know as soon as possible that I will be upgrading at some point. Yes, exploits may be created sooner that way, but even if you go with "B", exploits can still be created.

Either way, upgrades must be done at some point, and if the machines are not upgraded (and many won't), the exploit can be unleashed against those machines.

And that is really no different than what happens in the Windows environment.

Re:Good idea?

[essreenim]

A
so I could
1) fix it myself
or
2) be aware of activity to watch out for should a
work around / fix not be available

Amazon use Linux and no doubt have *very*
compentent Linux people on the staff,
which do you think they would like to see ?
I agre but how about this.

Make the unstable kernel bugs public and then ONLY after these bugs are fixed publically, allow private fixing of bugs in the stable kernel.

I'm not sure though. If in doubt, should we not just keep ALL bugs public???

Re:Good idea?

[stevey]

There was such a list. It was called vendor-sec. There were bugs which they kept hidden instead of submitting the actual fix

No.

vendor-sec is a list where issues are discussed amongst vendors, and fixes are shared.

A bug is reported. People agree on a patch, or one is presented and given a quick check by other people - then at an agreed date all the vendors release their updates.

This means that large holes which affect core pieces of software such as the Kernel, Perl, Bind, OpenSSH all have a patch available from the vendor all at the same time - when the hole is reported.

Despite comments to the contrary bugs don't just sit their being "covered up", or held back arbitrarily - the whole point of the embargos/delays is to make sure all vendors who use the list are able to release together.

Re:Good idea?

[Cyn]

single point of failure.

Re:Good idea?

Well the headline made it seem like it was just a private list so that only the dev guys know about the problems. Now that I've gotten further through the thread it seems that Linus is uhh...strongly opposed to that idea.

No, he's strongly opposed to *long term* secrecy and any suppresion of a fix.

He's quite happy for short term secrecy, just not months worth. The thread drifted between four and fourteen days time with Alan Cox arguing for more so that commercial vendors could properly QA the fix.

Re:Good idea?

[dmn]

...and wasn't Linux all about "version A" ? Sure, full disclosure has it's pros and cons, but there is no way to fix the cons without giving up the whole philosophy altogether.

I was completely astouned to hear that Linus himself agreed for a 5-working-day embargo on making known security issues public. Even if it proves to promote security in general, Linux will lose some of it's openness and what's worse - at the very heart - which I consider the security of a system to be.

Today, if I choose Linux, I get to know virtually everything about the software I use. I get the source code, I can find out whether anything needs to be fixed and, if it's critical, I can fix it, constantly being _sure_, that my system is as secure as possible, knowing that there are no bugs kept secret from me.

Ok, so maybe a few Linux users, or even admins have ever looked into the kernel code, to fix a bug, but that's not the point. I mean, how can you talk about cooperation and openness if you keep critical information available only for an eleet, which "knows better" and will give you the fix, as soon as they're done. This is IMO against the spirit of Linux.

Or am I getting things wrong ?

Re:Good idea?

[EsbenMoseHansen]

bug won't exist forever in Linux since linux programmer aren't CEO like in M$ where money is their main motivation (which makes their programmer spend more time on features than fixing bugs, leading to bugs not fixed for months). they WILL patch a system asap so this won't be an issue.

I have seen repeatedly that this just isn't the case. Often bugs get ignored until it is released into the public, after which it is quickly closed. If you doubt me, try searching the Mozilla bug database after security bugs. Their policy was 3 months before the bug was made public.

Openness is the only way. It is my uncomfortable experince. Sorry.

Re:Good idea?

[RupW]

I prefer "A", but that's because I want to know as soon as possible that I will be upgrading at some point. Yes, exploits may be created sooner that way, but even if you go with "B", exploits can still be created.

Either way, upgrades must be done at some point, and if the machines are not upgraded (and many won't), the exploit can be unleashed against those machines.

The point is that in B Joe-Random-Sysadmin can just type "apt-get update" and get a fixed, QA-ed stable kernel which is supported by his vendor. Look back at the comments on the "Which Linux for Business?" story a few days ago - QA and support *is* a big deal for live servers.

The whole point of this new effort is quick disclosure after a fix and explicitly not with long embargo times c.f. Microsoft or vendor-sec. They're talking about four to fourteen days. Read the article.

Re:Good idea?

[jschottm]

if it's not done *FAST* by the developers, someone in the community will do it

The problem is that the moment it's disclosed, the blackhats also start 'doing it', except their task is often easier than that of the white hats. *FAST* releases may contain other safety flaws, bugs, break important things, or just not fix the bug. If keeping a bug [that there's no evidence of an exploit being in existance already] private for a week means that a fix is better tested and ready for release by all the major vendors at the time of disclosure, I'm not sure that's a bad thing.

This is not the case if it is kept private.

That may be the case in commercial software, but I'm not sure if it would carry over to the open source world. I suspect that Linux has attracted a certain type of programmer whose involvement goes beyond the simple code==paycheck mindset. There are people being paid by various companies to work on the kernel, but they're generally the ones that demonstrated their commitment to working on Linux prior to getting hired specifically to do so.

The decentralized nature of the kernel means that it's not dependant on the whims of a single company or a few individuals within a single organization. $COMPANY has to worry about their stock price when a vulnerability is disclosed. There's much less impact on the core Linux programmers by such things.

I can't see Linus saying to himself, "No one knows about this problem, therefore I don't have to work on it yet." Can you?

Working on my own DS_Linux

[Dancin_Santa]

On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

Keep those bug reports coming!

Re:Working on my own DS_Linux

[DrSkwid]

we'd still be stuck with an age-old kernel like OpenBSD

you say that like it's a bad thing ?

Re:Working on my own DS_Linux

[Oswald]

Why is this a troll? It may be sarcastic, but it raises a valid argument against the parent's attitude about kernel security. It should be modded up, at least to the level of the parent, so they can be viewed together.

Re:Working on my own DS_Linux

Where can I subscribe to this LCML?

Maybe I should browse the LKML archives and see if it's been mentioned.

Re:Working on my own DS_Linux

Linux is highly disorganized. That's great for developping stuff fast, but it's not great for making sure the whole and the parts are in harmony. Security is not something you can slap on as an afterthought, as its done in many OS, including Linux.
It's not a matter of having a stone-age kernel vs. a modern kernel. It's a matter of picking your battles. What do you want to get out of your effort? What is your focus? Without knowning this, all you can do is drive around in circles.
And look at the stability problems with the 2.6 branch. What kind of moron puts experimental code in the stable branch? It's as if the head and the tail of the animal aren't cooperating, as if they're in their own little world.

Re:Working on my own DS_Linux

[snorklewacker]

> we'd still be stuck with an age-old kernel like OpenBSD!

Want an even newer kernel? Go with windows. And it's not like BSD's don't have innovations of their own. Look at NetBSD sometime -- there's stuff in there that's so elegant, you'll weep. FreeBSD has stuff like netgraph that has no parallel in Linux (but yeah, it's a shame FBSD has let netgraph more or less rot).

Aside from SELinux, I can't think of any advanced linux-specific kernel features that are all that mainstream. And frankly, til Linux stops ripping out the scheduler and VM subsystems every other patchlevel, I just can't trust it under load. I'm dealing with runaway CPU usage and swap thrashing on servers running Linux, with the only solution being to "just drop in [bleeding-edge kernel version]". Like that's something you just drop in on a production machine. So in the meantime, I have cron jobs going whose sole job is to kill and restart processes that are perfectly stable, but the OS goes nutters on them.

Re:Working on my own DS_Linux

Maybe he's powering his Land Cruiser with Linux.
(in-joke for people who googled LCML)

Re:Working on my own DS_Linux

[Homology]

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of.

You are saying that the Linux kernel have unbelievable many security issues that are hard to fix? So the hard-to-fix bugs are results of design flaws and won't be fixed anytime soon?

I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

Your attitude with regards to features and security is very different from the one practiced by the OpenBSD developers. No feature will be added to OpenBSD unless the developers think that this can be done securely. To them, security is not something that is added to a feature at a later stage. This is one reason as to why OpenBSD only recently added SMP support.

In some respects part of the OpenBSD kernel is "age-old" (you mean "obsolete", I suppose), but it's secure and stable. When it comes to security, OpenBSD is far ahead of the Linux kernel.

There exists security patches (like PaX) for the Linux kernel, but they are not used by many since the commercial distros like SuSE and RedHat don't offer them. A shame, really.

Re:Working on my own DS_Linux

PaX can only go so far. It doesn't handle kernel bugs, which Linux has suffered from a lot, and will continue to suffer from as a result of the bazaar software development model.
Oh sure someone will mention that PaX has something called KERNEXEC... But guess what. It's buggy (expect lots of crashes on SMP machines) and it's not foolproof either.
I know this, I used Grsecurity patches for a long time, with finely tuned custom settings and ACLs. But I got tired of the crashes, and I got tired of wasting my time compiling and tuning kernels. Since I switched to OpenBSD, I got more free time now to work on other things, like trying to get my code finished on time.

Re:Working on my own DS_Linux

[Homology]

Why is this a troll? It may be sarcastic, but it raises a valid argument against the parent's attitude about kernel security. It should be modded up, at least to the level of the parent, so they can be viewed together.

You got modded down as well for asking this ;-) Often I see posts clearly moderated wrongly, and this is really just a testament of that particularly moderator cluelessness. Too bad metamoderation does not really work.

It's a good idea

[michelcultivo]

It's a good idea to have a group that handles security bugs into linux kernel, now we need only that the people that claims herself as "serious" only report the bugs to the kernel-security@*. "Imagine all the people living bug free kernel :)"

Single point of contact a good thing

"It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

Err.. no - what they have done is create a single point of contact for security related bugs instead of the mish mash we have at the moment. That POC will work with the reporter to publish the bug.

You mean we don't have one already?

[It+doesn't+come+easy]

No doubt my ignorance showing through but I am surprised there isn't a central repository for all kernel bugs, security or otherwise, already. Else, wouldn't there be a lot of "reinventing the wheel" going on?

Re:You mean we don't have one already?

[iabervon]

There is such a repository, but it is not monitored very closely, because it (rightly) accumulates all sorts of obscure notes which are useful for reference but not for informing people. There's a lot of "some hardware only I have misbehaves in some way" or "something nobody else ever tried to do doesn't work". You want this sort of information in case other people start having similar problems, but there's little incentive to fix the bug in a hurry, especially if the person found some way to avoid the problem.

The point of this list is to bring issues to the attention of people who can identify and get in touch with the people who can fix the bug. It is for communication, rather than for archival.

Community problems?

[wild_berry]

Aren't these problems inevitable with any community-developed software, that the people who have input on to project need to be aware of problems on the project?

Unfortunately, trust is an issue: the inclusion of anyone who may be able to help out opens the doors to anyone who wants to attack. Additional complexity arises when the project is sold as a product; because the people using the product actually need to become involved in the community project too if they are to get the best support. Vendor-sec kind of does this for the Kernel, but the Kernel maintainers don't think that this is enough, because it's done reasons that are, broadly, not about making the best code as safe as possible (PR publication, politics are cited in the article, but I'm not involved and haven't seen).

If this one list gets set up, there will be a need also for trusted individuals to be included on any private security list to watch and make sure that bugs are squashed, not to code or argue about how to fix a hole. I understand that this would be anathema to the maintainers who want as few people as possible on such a list to stop leaks, but see it as an important part of the community process.

Re:Community problems?

[wild_berry]

I wrote this and then realise that Linus' intention is that people do trust him, saying that he would publish security vulnerabilities plainly so that people are not hidden from the real problems tha come with this enterprise. Linus also says that he understands this isn't entirely practical.

Re:How to install Linux for mums (?) and dads:

[DrSkwid]

yeah, my mum is much better as swapping out hard disks than putting in CDs

This is to stop commercial third party patches

[Jack+Taylor]

Most of the comments I've read so far seem to be missing the point. The idea of this security team is to make sure that there aren't any publicly known exploits in the kernel without a patch being available; at the moment this is inevitable if a bug is reported directly to the kernel guys, due to the policy of immediate disclosure.

This move is primarily to stop companies running linux from going to commercial vendors to patch their kernel for them, and thus keeping linux security centralised.

Re:How to install Linux for mums (?) and dads:

[It+doesn't+come+easy]

Great idea if you are in the hard drive business...

Seriously, though, the root problem would not be addressed in this way. Need to make Linux maintenance foolproof for mum & dad (which, I realize, is a lot tougher and more time consuming than swapping a hard drive).

Re:How to install Linux for mums (?) and dads:

[Asprin]

She might be - you can draw a picture of which cables go where and how to mount it. You can't draw a picture of how to answer all the install/config questions and what to do with your data files. My idea is also recoverable (meaning you can easily go back if you want) and how much are hard drives - $40 for 40GB?

Re:How to install Linux for mums (?) and dads:

What, like this?....

http://www.mandrakesoft.com/products/globetrotter

Re:Good idea? partially?

[essreenim]

A single point of contact is a good thing in my book.

As long as it is ALWAYS mirrored and PUBLIC. I do,nt agree with their idea to make encrypted bug reports preferable, digitally signed maybe but not encrypted. I can totally understand why Linus would be against it.

make stable kernel bugs private?

[essreenim]

What bout this: a) all [unstable development kernel e.g 2.6.1] bugs get published "public" - each and every person can snoop around and either help fix it - or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after) But, keep [stable kernels] private.

Re:make stable kernel bugs private?

[pe1rxq]

Keeping bugs private doesn't prevent someone else from finding it and exploiting it.
Even worse, by keeping it private you also minimize the amount of developpers who are exposed to the mistake and the fix. By knowing about it they might not make the same or a similar mistake again in their own code.

Jeroen

Re:make stable kernel bugs private?

[essreenim]

To be honest I totally agree with you. Keep everything public but if we do keep stuff private at least keep the non critical stable kernel stuff private.

But, I agree, keep it all public - only way to be sre

Re:How to install Linux for mums (?) and dads:

Just FYI this scheme is already used; think it was linspire on seagate, but it was so long ago they started (months or even years) so I can't remember. Do some googling and see how it turned out.

Re:How to install Linux for mums (?) and dads:

[I+confirm+I'm+not+a]

you can draw a picture of which cables go where and how to mount it. You can't draw a picture of how to answer all the install/config questions and what to do with your data files.

When I read your original post, I assumed you meant that a hardware shop replaced the harddrive for mum and dad. Personally I think that proposal is great, though I share other people's concern about handing my mum a screwdriver and a diagram ;)

Time-limited privacy

[dpilot]

Holding security holes private for a limited time does make sense, but the key word is *limited*. That delay is there for the sole purpose of making sure the fix is available when the hole is disclosed. The limited part means that nobody sits on security holes, and if it becomes public without a fix, the community kicks in. Even if a fix is announced along with the hole, it's entirely possible that the community will come up with a better/cleaner fix.

Keeping "limited delay" short is the key.

Re:How to install Linux for mums (?) and dads:

[Asprin]

Yeah, sorry I didn't make that more clear typing over my oatmeal. My idea is an is entirely reversible consumer-installed hardware upgrade that gets Linux on the desktop for under 40 samoleans.

Re:How to install Linux for mums (?) and dads:

[GROOFY]

Hard drives cost more than that.

Finally!

[Dark+Coder]

A real live person to send LSM vulnerability reports to.

You forgot the last bullet point for "version B"

- every person can try to exploit it on "unpatched" systems long time after

I think you forgot the Linux kernel is open source; if a bug isn't annouced publicly when it is found, it is publicly annouced by the patch that is produced to fix it.

I'd rather see the bug annouced publicly and fixed immediately than kept private, fixed eventually, and continue still be an issue on unpatched systems.

Stop releasing advisories?

[rastakid]

the rest of the population might not even know the bug exists until a patch is released (moreso, you might not even know what the bug was)

And you seriously think system administrators are taking the time to actually patch systems against a bug they know nothing about?
Because when a patch gets released and there will be an advisory coming with it, malicious cr4x0rz *will* know where the bug is and how to exploit it. So, your plan leaves no choice but to stop releasing kernel advisories.

Where's the "mish mash"?

[khasim]

Err.. no - what they have done is create a single point of contact for security related bugs instead of the mish mash we have at the moment. That POC will work with the reporter to publish the bug.

Right now, all you have to do is look up the name of the maintainer for the sub-system with the flaw and email him/her directly.

Delegated and distributed != "mish mash".

Re:How to install Linux for mums (?) and dads:

[Asprin]

OK, 50 samoleans. Newegg has several 40GB hard drives under $50 US.

Re:How to install Linux for mums (?) and dads:

Linux maintenance? What maintenance is necessary? There are no major spyware or virus issues (yet), and software updates are more or less automated at this point. Most important, these automated updates cover ALL of the software installed, not just Windows components. If you used Windows and Linux systems at the same level (in each case not installing random software downloaded from the internet), I think you would find that they are equally maintainable. If you are in a situation where the users are installing random software, you lose the maintainability in either case.

Bottom line: the boxed Linux distros are comparable to Windows if you are building a basic, functional system. Once users want to go beyond a basic system, Windows tends to give its users more rope to hang themselves with because it makes them feel like they are in a consequence-free environment and all the garbage is written for their system anyway. The nefarious software is not so readily available for Linux and that is what hurts it in terms of desktop acceptance more than anything else.

and when viewed from another angle

... have created a security team to privately handle the bugs...

It means they have created a team that can change anything unseenly.

Re:Good idea? partially?

I do,nt agree

"don't".