Re: Brad gets real!

[Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>]

This is possibly true, although an Android vs iOS comparison here might be
more apt, from a technical perspective? But what Brad truly nails in his
talk is an overarching culture around the process of Linux kernel
development that is decidedly non-optimal when it comes to security.

For example, when proposing security features, a healthy community would
take a suggested patch and debate "What were you trying to accomplish? What
is the best way to implement that?" and the Linux community instead has a
series of formatting gateways, and then a rejection. (According to the talk
- I am not a Linux kernel dev).

Debating security boundaries and threat models is a sign of a healthy
community, especially in a structured, non-confrontational way.

-dave



On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb () hardenedbsd org>
wrote:

> On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave wrote:
> > https://www.youtube.com/watch?v=F_Kza6fdkSU
> >
> > So I wanted to highlight this talk from Brad Spengler about the state of
> > Linux security. It's a damning report if you read even a little bit
> between
> > the lines. And on many levels. As Halvar points out, Android deliberately
> > avoided investing what they knew they needed to invest in platform
> security
> > in the effort to gather significant early market share, even knowing it
> > would harm their user-base in a multitude of ways.
> >
> > And this kind of philosophical trade off taken by companies filters into
> > the Linux security ecosystem, creating Ogres of various sorts, like
> > Calamity Gannon's corruption of various parts of Hyrule. For example,
> > phones often run on an older Linux kernel, which means there is economic
> > incentive to backport features and security fixes to those kernels, or
> > pretend you can.
> >
> > Likewise, much of the effort of the Linux security community is focused
> on
> > KASLR, which Brad points out, is largely a waste of time.
> >
> > He also talks about Syzkiller, automated exploit generation, and a host
> of
> > other things. Well worth a listen!
>
> It's also hard to innovate without a userland that is tightly
> integrated with the kernel (like the BSDs). On the BSD side, we're
> able to ship an entire ecosystem with exploit mitigations applied
> because a basic userland is shipped and integrated with the kernel.
>
> The way in which the BSDs are structured enables innovation across the
> entire ecosystem. We at HardenedBSD are able to test and deploy
> exploit mitigations across the base operating system in addition to
> 33,000+ packages.
>
> In addition to Brad's observations, I opine that the fragmentation of
> Linux has provided a net decrease in security posture.
>
> --
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>
> GPG Key ID:          0xFF2E67A277F8E1FA
> GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
>
> https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org