Linus's Thoughts on Linux Security

Rick Zeman writes: The Washington Post has a lengthy article on Linus Torvalds and his thoughts on Linux security. Quoting: "...while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven't been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. ...

His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics. 'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

Of course, contradictory points of view are presented, too: "While I don't think that the Linux kernel has a terrible track record, it's certainly much worse than a lot of people would like it to be," said Matthew Garrett, principal security engineer for CoreOS, a San Francisco company that produces an operating system based on Linux. At a time when research into protecting software has grown increasingly sophisticated, Garrett said, "very little of that research has been incorporated into Linux."

Nailed it

'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

This nails it entirely on the head, and is why a lot of security and privacy nutters gain so little traction when dealing with the masses. Security and privacy are important, but they need to be balanced pragmatically with what people actually want to do with the system.

Re:Nailed it

[postbigbang]

No.

It's the very height of arrogance to not consider safety. Security isn't about paranoia, it's about bad guys, and there are a huge number of them, using coder stupidity and this sort of arrogance to rob people of real money, or ransom systems.

It's an enormous failure of engineers that don't put safety first while trying to be faster, cooler, or wittier than the next engineer. You can call it artistic creation, egalitarianism, but without the concern for the safety of others, it's boorish, arrogant, and rife for misdeed.

Re:Nailed it

[vtcodger]

Ahem ... I think maybe you don't fully understand, It's not that kernel security is entirely unimportant. It's that the idea that you can or should fix imaginary security problems in the kernel seems kind of ditzy. It's sort of like protecting New York City from terrorists by hiring more police and assigning them to florist shops. Yes, that would presumably discourage terrorist floral attacks. But since when are those a known or potential problem?

If you want to secure computing, then reduce attack surfaces dramatically. Don't hook everything in sight up to the same internet. Cut way back on the number of protocols in use. Lose idiocy like Javascript. Fix eccentric cookie behavior, etc, etc, etc.

If, after doing that, it turns out there are exploitable holes in the kernel -- say a flaw that allows a carefully crafted IP packet to make arbitrary changes to the system or a way for the janitor to inject a privileged process from a USB stick into people's desktop PC startup while he/she is emptying the wastebaskets -- I doubt there will be any resistance from Torvalds or anyone else to fixing them.

Re:Nailed it

He gets the message but he doesn't agree with your core ideals, there is a big difference.
Also, you accused aussersterne of putting words in Linus mouth, but here you are not only doing the same but also in an arrogant and insulting fashion.
Double irony does not cancel itself out.

I think Linus point is very clear. Security has no value by itself. It is nice, but it should never get in the way of getting the job done.
This is very similar to the reasoning that is used when considering life critical application.
Safety is nice, but if it gets in the way of getting the job done the user will disable it. Therefore safety has to be added in a way that doesn't inconvenience the user.
Luckily the kernel is open sourced so if you think that you can make a more secure kernel without hurting its functionality then you can go ahead. You certainly seem to think that you know better than others and there clearly is big money in doing so.

Re:Nailed it

[Junta]

that doesn't inconvenience the user.

That's the real key take away, and the point people like to talk past. It's like a full harness versus a seat belt. A full harness would be objectively safer if used, but fewer people are going to go to the hassle of connecting up a full harness every time they drive and so the seatbelt from a practical standpoint is the better choice to offer to customers of the automotive industry.

Re:Nailed it

[Junta]

Depends on your definition of 'decent'.

Distributions that have made strict use of SELinux to tightly lock things down may be 'decent' to security folks, but terrible to use, causing people to just turn it off.

Distributions that have piled tons of permissive policies to make some moderately useful environment get derided by security folks as being too lax, though they at least get to enforce the restrictions they designed.

It's impossible to make both people trying to get their work done and hard core security guys happy...

Re:Nailed it

[gweihir]

As a security expert, I fully agree. Security is something that you need to think about from the beginning, but you only ever need enough that your residual risks are acceptable.

These "critics" often do not get how to do professional risk management (Linus does) and, quite often, I get the impression they do not have any significant coding experience, as they seem to think the changes they would like are easy to implement. I run into these black vs. white people in security quite frequently. These are the amateurs that do not understand that actually building things that work is already very, very hard and if you keep changing things all the time you just end with a dysfunctional, insecure mess. Also, you want a stable product, you incorporate research results only after they have been tested out in practice for a few years and only if they bring you a significant gain.

The Linux kernel has an excellent security track record in its core. Some drivers are not that good, but that is why if you need high security, you only compile those that you really need.

Security as a trade-off

[QuietLagoon]

Linus Torvalds: ...Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs....

Fortunately, there are open source operating systems available where security is less of a trade-off and more of a priority, such as OpenBSD, where the developers maintain a laser focus on security.

Re:Security as a trade-off

[Shinobi]

On the other hand, OpenBSD is perfect proof that Linus is right: The trade-off is that for the increased security, you suffer in terms of the computer being useful for other things. It's useless for anyone wanting to do 3D modelling and animation for example, or working with video editing.

Re:Security as a trade-off

[LichtSpektren]

Exactly this. Windows is insecure as fuck, but people use it because their software runs on it. OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off. Linux (and by that I mean "GNU/Linux" e.g. RHEL, SUSE, Debian; not Android) gives us a healthy balance between usefulness and security. That's why almost every webserver runs Linux.

Re:Security as a trade-off

That is not the idea behind OpenBSD. If you use only the packages available and tested on OpenBSD, the people of OpenBSD guarantee you that they have done everything in their power to make those packages as secure as possible. Note that they don't guarantee there are no security issues at all. But at least they are very open when problems occur and immediately start working on fixing any security issues.

OpenBSD is not meant to be used as a 'normal' consumer OS where you just install whatever software you need, and compile it from source when it is not made available by the OpenBSD people. The OpenBSD people will not guarantee any thing when you compile and install your own packages. In fact an OpenBSD installation with customer compiled packages will probably be less secure than a full blown BSD/Linux distribution that offers all those 3D modeling and animation packages out of their own repositories. The rate of detecting security issues when thousands of users install and check these packages is a lot higher than just you who compiles and installs random software.

OpenBSD is probably the most secure OS available, as long as you use only the packages that are made available. I've used OpenBSD as an internet firewall/router, a basic webserver and a DNS server. I would not suggest using OpenBSD for a desktop with advanced software because installing custom compiled software on an OpenBSD will no longer make it the most secure OS and there are better solutions: other operating systems that offer the specialized software out of the box.

Re:Security as a trade-off

[QuietLagoon]

...OpenBSD is probably unbreachable but it's terribly useless as anything but a firewall; to use it as a general OS, you have to turn a lot of its security precautions off....

OpenBSD's security is not some superficial thing, it goes deep into the OS You don't just "turn it off", indeed some aspects of it cannot be turned off because some aspects of the security are the coding conventions used.

.
To your comment about OpenBSD being useless for anything but a firewall, I've used OpenBSD on my notebook and it fits the job quite well.

Linux the OS vs. the Kernel

[CajunArson]

Linux the OS certainly has had numerous real-world security problems that need to be addressed. I don't particularly care about the semantics of "Oh it's just a kernel!" because I could play the exact same game with Windows where Windows kernel vulnerabilities aren't super common either. Guess what: Linux and Windows both run the same web browsers these days, and that's a cross-platform security hole no matter who wrote the kernel.

Additionally, the biggest security hole I see now is Android due to the fact that it's damn near impossible to actually get upgraded software to fix the numerous holes.

However, Torvalds' direct responsibility is the kernel, so in this particular context I'm not going to give him too much grief. The Linux kernel does actually include extremely sophisticated mandatory access control systems like AppArmor, SELinux, etc. However... and this goes to his point... these systems are used sparingly because they are REALLY complex and lead to all kinds of usability issues for unsophisticated users (And "unsophisticated" here could easily mean a skilled Unix sysadmin with years of experience. These MAC systems are *not* considered "normal" in UNIX).

So basically: Yeah, Linux is not perfect. Nothing out there is perfect. However, the kernel actually does have a bunch of sophisticated security facilities. Maybe more work should go into making these sophisticated security features more accessible and useful to regular people.

The point is that safety alone is not productive.

[aussersterne]

We are talking about securing tools. But the point is that tools do things. We want tools to help us to accomplish the things that the tools do.

A perfectly safe hammer is entirely possible. Make it out of flame-resistant, soft, synthetic materials and fill it with something equally soft. Shape it more like a ball than like a stick, so no-one can accidentally stick it in their mouth and suffocate.

Of course, now you have something that can't be used to pound in nails—but it's entirely the safest hammer on the planet.

Will anyone buy it or use it? Of course not. And they'll still need something with which to pound in nails. That's Linus' point.

This article is pure FUD

[LichtSpektren]

TFS makes the article look rather balanced, but if you actually read it, it's pretty clearly FUD attempting to make the kernel team look indifferent (or even incompetent) regarding security. It blames the "towelroot" Android exploit as being the fault of Linux, and compares Linux security to car manufacturers in the 1960s willfully avoiding seat belts and other safety mechanisms. Was the author bribed by Microsoft?

Re:This article is pure FUD

[PhrostyMcByte]

No kidding. The thing continually suggests that Linux is insecure on all number of ways (none are mentioned specifically), and that Linus is indifferent toward security. It has this completely useless statement to try to create a false association between Linux and the Ashley Madison hack:

Versions of Linux have proved vulnerable to serious bugs in recent years. AshleyMadison.com, the Web site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies. Those problems did not involve the kernel itself,...

As a security professional...

[SecurityGuy]

I have to say that if this is his position:

His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics. 'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

He's absolutely dead right and more people in the security profession need to understand what their job is really about. Security is a support role. Our job is to make someone else's stuff work better. Even if you're secret service protecting the president, the core value in your job isn't security for it's own sake, it's making sure the guy in the suit is able to do his job tomorrow.

Re:As a security professional...

[Major+Blud]

"Yes, the goals of the secpro often conflict with the goals of the desktop support technician, but in the end security is more important than usability"

So take your server, unplug it from the network, lock it in a safe, and throw away the key....since security is more important than usability, as you say.

Re:As a security professional...

[Cassini2]

If the job was only about securing data, then security professional's would recommend destroying the data. The military has been known to do exactly this. Destroying the data creates the ultimate security.

What makes security people into security professionals, is that the professionals can design systems that allow authorized activities happen smoothly while simultaneously keeping out the bad guys. That is a much harder task than simply securing the data against unauthorized access. It requires the professional to focus on the balance between usability, security and profit.

Linus isn't trying to make it black and white.

[aussersterne]

He's trying to say that if people want powerful, flexible networking, they'll choose an 80% safe OS that enables this easily over a 90% safe OS that imposes lots of overhead costs to make it possible; that people will choose a 60% secure OS that runs their processing jobs in 3 hours over an 85% secure OS that runs their processing jobs in 6 hours.

He's pointing out that people like security well enough, but they want to get stuff DONE even more, and that most people will take the calculated risk to be less secure if it makes them more productive at lower costs. That if there is a less secure but more productive option, up to some arbitrary point (that is different in each case, but that can be inferred by the movement of markets and communities as a whole), they'll choose the more productive option.

And that there is no point in saying "then all of us that produce these things must get together and make highly secure, if less capable stuff, so that all choices are equally highly secure!" because as soon as that happens, a garage coder somewhere is going to have a project on github that says "I got tired of waiting for jobs to finish, so I wrote my own from scratch. It's totally insecure, but damned if it doesn't finish the job in half the time!" and that people will immediately flock to it.

In other words, his goals for Linux aren't for Linux to be the most secure OS on the planet, but to be one of the most useful and used ones.

Re:Linus isn't trying to make it black and white.

"He's trying to say that if people want powerful, flexible networking, they'll choose an 80% safe OS that enables this easily over a 90% safe OS that imposes lots of overhead costs to make it possible; that people will choose a 60% secure OS that runs their processing jobs in 3 hours over an 85% secure OS that runs their processing jobs in 6 hours."

Not all people want to make the same tradeoffs, which I thought was one of the points Torvalds was making. In any case the issue is about system security where the operating system or networking are only one components.

"that most people will take the calculated risk"

Most people aren't calculating it, they are just assuming the risk is worth it. Ignorance of the risk or assumption of the absence of risk is not the same as mitigating risk.

For some tasks low security is unreasonable, or the system may be protected as a whole by other systems (e.g. firewalls around the outside of a less secure centre). For some tasks less than 100% accuracy is appropriate if time is off the essence and one end of the false positive or false negative spectrum is an acceptable risk.

Really Linux security should be seen as only one component of system security, and different levels of linux security may be appropriate depending on the design parameters of the system. It's useful to be able to have "90% security" if your system design requires it and an alternative design is not possible.

Re:Linus isn't trying to make it black and white.

[The-Ixian]

Yes, I administer a small network of about 150 bodies and roughly double that number of devices.

I take security seriously.

However, there are trade offs.

For example. I *could* implement a sandbox environment for all apps, do application whitelisting, strip attachments and links from e-mails and a bunch of other stuff... but these things add complexity and reduce productivity as they inevitably run head-on into usability.

As it is, I do everything reasonable to avoid the worst, but security is definitely second fiddle to productivity.

Matthew Garrett again

Matthew Garrett again trying to remove Linus from the equation. First they tried with the rants angle, now with the "security" aspect. pure FUD

Re:The point is that safety alone is not productiv

[Bengie]

To further your point, unplug your computer from power and it's 100% safe from remote attacks.

TRANSLATION

[cstacy]

What Slashdot readers hear: "Linux is not BSD."
What normal people hear: "Linux is a terribly insecure OS from some total asshole, who by the way doesn't give a shit."
Mainstream Media's message: "Better stick with Microsoft Windows; it's the only thing that's secure."

Security is quality

[Shadow+IT+Ninja]

I agree that operating system engineers should not get bogged down in details of security. What they should do, however, is concentrate on those aspects of security which equate to quality, especially stability and transparency. Not crashing in response to unusual input and handling overloads gracefully are really important aspects of security. Likewise, the ability to see what is going on in your OS is fundamental to security. For example, I have argued for some time that the addition of DTrace to Mac OS X is an important security feature. The reaction I get is "That's just a debugger." No, the ability to understand what's going on is absolutely necessary to security. These things do not degrade the user experience or make an OS less usable. They make it better.