Reporting Kernel Security Issues

Omniscientist writes "A recent post on KernelTrap details the lkml post by Chris Wright talking about a centralized place to report security issues pertaining to the Linux Kernel and the discussion that was generated by it, including Chris's followup. It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

Good idea?

[lachlan76]

To be honest, I'd rather see any security problems in LKML, than keep them private...a private bug may not be fixed, but when there is a lot of public pressure to get a patch out, if it's not done *FAST* by the developers, someone in the community will do it. This is not the case if it is kept private.

Re:Good idea?

Did you actually read the fine thread? All Chris is doing is creating a single point of contact for security related bugs. The current situation is that bugs are reported randomly to lkml, distros or whereever so some may fall through the net.

A single point of contact is a good thing in my book.

Re:Good idea?

[tibike77]

Well, it's a tradeoff issue... do you prefer that:

a) all bugs get published "public"
- each and every person can snoop around and either help fix it
- or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after)

OR

b) all serious bugs get published "privately"
- only "core contributors" get to see it and try to fix it
- the rest of the population might not even know the bug exists until a patch is released (moreso, you might not even know what the bug was)

Well, I guess (some) people prefer "version B" ;)

Re:Good idea?

[lachlan76]

Well the headline made it seem like it was just a private list so that only the dev guys know about the problems. Now that I've gotten further through the thread it seems that Linus is uhh...strongly opposed to that idea.

But if it's a security problem in the kernel and it gets reported to the vendor currently instead of lkml, what makes you think a single point of contact will be used properly?

Re:Good idea?

[pe1rxq]

but systems are less vunerable

Nobody knowing about the bug doesn't make is less vulnerable.... It might make it less likely that somebody will abuse it, but the hole is still there.

Keeping it silent only works if you are the only one capable of finding it. It has been shown time after time that that isn't true.

Jeroen

Re:Good idea?

[stevey]

There was such a list. It was called vendor-sec. There were bugs which they kept hidden instead of submitting the actual fix

No.

vendor-sec is a list where issues are discussed amongst vendors, and fixes are shared.

A bug is reported. People agree on a patch, or one is presented and given a quick check by other people - then at an agreed date all the vendors release their updates.

This means that large holes which affect core pieces of software such as the Kernel, Perl, Bind, OpenSSH all have a patch available from the vendor all at the same time - when the hole is reported.

Despite comments to the contrary bugs don't just sit their being "covered up", or held back arbitrarily - the whole point of the embargos/delays is to make sure all vendors who use the list are able to release together.

Re:Good idea?

[dmn]

...and wasn't Linux all about "version A" ? Sure, full disclosure has it's pros and cons, but there is no way to fix the cons without giving up the whole philosophy altogether.

I was completely astouned to hear that Linus himself agreed for a 5-working-day embargo on making known security issues public. Even if it proves to promote security in general, Linux will lose some of it's openness and what's worse - at the very heart - which I consider the security of a system to be.

Today, if I choose Linux, I get to know virtually everything about the software I use. I get the source code, I can find out whether anything needs to be fixed and, if it's critical, I can fix it, constantly being _sure_, that my system is as secure as possible, knowing that there are no bugs kept secret from me.

Ok, so maybe a few Linux users, or even admins have ever looked into the kernel code, to fix a bug, but that's not the point. I mean, how can you talk about cooperation and openness if you keep critical information available only for an eleet, which "knows better" and will give you the fix, as soon as they're done. This is IMO against the spirit of Linux.

Or am I getting things wrong ?

Re:Good idea?

[EsbenMoseHansen]

bug won't exist forever in Linux since linux programmer aren't CEO like in M$ where money is their main motivation (which makes their programmer spend more time on features than fixing bugs, leading to bugs not fixed for months). they WILL patch a system asap so this won't be an issue.

I have seen repeatedly that this just isn't the case. Often bugs get ignored until it is released into the public, after which it is quickly closed. If you doubt me, try searching the Mozilla bug database after security bugs. Their policy was 3 months before the bug was made public.

Openness is the only way. It is my uncomfortable experince. Sorry.

Re:Good idea?

[jschottm]

if it's not done *FAST* by the developers, someone in the community will do it

The problem is that the moment it's disclosed, the blackhats also start 'doing it', except their task is often easier than that of the white hats. *FAST* releases may contain other safety flaws, bugs, break important things, or just not fix the bug. If keeping a bug [that there's no evidence of an exploit being in existance already] private for a week means that a fix is better tested and ready for release by all the major vendors at the time of disclosure, I'm not sure that's a bad thing.

This is not the case if it is kept private.

That may be the case in commercial software, but I'm not sure if it would carry over to the open source world. I suspect that Linux has attracted a certain type of programmer whose involvement goes beyond the simple code==paycheck mindset. There are people being paid by various companies to work on the kernel, but they're generally the ones that demonstrated their commitment to working on Linux prior to getting hired specifically to do so.

The decentralized nature of the kernel means that it's not dependant on the whims of a single company or a few individuals within a single organization. $COMPANY has to worry about their stock price when a vulnerability is disclosed. There's much less impact on the core Linux programmers by such things.

I can't see Linus saying to himself, "No one knows about this problem, therefore I don't have to work on it yet." Can you?

Working on my own DS_Linux

[Dancin_Santa]

On occasion I like to call it Santix, but I don't want to step on anyone's toes, so I just prepend my initials in front of "Linux" (RMS be damned).

The main thing that I try to focus on is security, and being on the LCML security mailing list has greatly improved my ability to find and squash security issues. You wouldn't believe how many security issues Linux has, actually. Luckily, most of the easy things like buffer exploits are already taken care of. The remaining issues are primarily involved in the timing issues of thread and process context switching. Exploiting the system vulnerability when it is grabbing and releasing resources. That kind of thing.

Whether or not the security list is part of the main LCML list is not really a primary concern. I'd rather have those guys working on features and we on the Security side can get those features secure. If we spent all our time thinking about how to make the system secure, we'd still be stuck with an age-old kernel like OpenBSD!

Keep those bug reports coming!

Re:Working on my own DS_Linux

[DrSkwid]

we'd still be stuck with an age-old kernel like OpenBSD

you say that like it's a bad thing ?

It's a good idea

[michelcultivo]

It's a good idea to have a group that handles security bugs into linux kernel, now we need only that the people that claims herself as "serious" only report the bugs to the kernel-security@*. "Imagine all the people living bug free kernel :)"

Single point of contact a good thing

"It would appear that they now have created a security team to privately handle the bugs, who act as the alternative to reporting the flaw to the public immediately."

Err.. no - what they have done is create a single point of contact for security related bugs instead of the mish mash we have at the moment. That POC will work with the reporter to publish the bug.

You mean we don't have one already?

[It+doesn't+come+easy]

No doubt my ignorance showing through but I am surprised there isn't a central repository for all kernel bugs, security or otherwise, already. Else, wouldn't there be a lot of "reinventing the wheel" going on?

Community problems?

[wild_berry]

Aren't these problems inevitable with any community-developed software, that the people who have input on to project need to be aware of problems on the project?

Unfortunately, trust is an issue: the inclusion of anyone who may be able to help out opens the doors to anyone who wants to attack. Additional complexity arises when the project is sold as a product; because the people using the product actually need to become involved in the community project too if they are to get the best support. Vendor-sec kind of does this for the Kernel, but the Kernel maintainers don't think that this is enough, because it's done reasons that are, broadly, not about making the best code as safe as possible (PR publication, politics are cited in the article, but I'm not involved and haven't seen).

If this one list gets set up, there will be a need also for trusted individuals to be included on any private security list to watch and make sure that bugs are squashed, not to code or argue about how to fix a hole. I understand that this would be anathema to the maintainers who want as few people as possible on such a list to stop leaks, but see it as an important part of the community process.

This is to stop commercial third party patches

[Jack+Taylor]

Most of the comments I've read so far seem to be missing the point. The idea of this security team is to make sure that there aren't any publicly known exploits in the kernel without a patch being available; at the moment this is inevitable if a bug is reported directly to the kernel guys, due to the policy of immediate disclosure.

This move is primarily to stop companies running linux from going to commercial vendors to patch their kernel for them, and thus keeping linux security centralised.

Re:Good idea? partially?

[essreenim]

A single point of contact is a good thing in my book.

As long as it is ALWAYS mirrored and PUBLIC. I do,nt agree with their idea to make encrypted bug reports preferable, digitally signed maybe but not encrypted. I can totally understand why Linus would be against it.

make stable kernel bugs private?

[essreenim]

What bout this: a) all [unstable development kernel e.g 2.6.1] bugs get published "public" - each and every person can snoop around and either help fix it - or instead try to exploit it (even moreso, keep on exploiting it on "unpatched" systems long time after) But, keep [stable kernels] private.

Time-limited privacy

[dpilot]

Holding security holes private for a limited time does make sense, but the key word is *limited*. That delay is there for the sole purpose of making sure the fix is available when the hole is disclosed. The limited part means that nobody sits on security holes, and if it becomes public without a fix, the community kicks in. Even if a fix is announced along with the hole, it's entirely possible that the community will come up with a better/cleaner fix.

Keeping "limited delay" short is the key.

Where's the "mish mash"?

[khasim]

Err.. no - what they have done is create a single point of contact for security related bugs instead of the mish mash we have at the moment. That POC will work with the reporter to publish the bug.

Right now, all you have to do is look up the name of the maintainer for the sub-system with the flaw and email him/her directly.

Delegated and distributed != "mish mash".