Re: Brad gets real!

[Shawn Webb via Dailydave <dailydave () lists aitelfoundation org>]

Fully agreed with you there. I also dislike the culture of treating
security vulnerabilities as "just another bug." I feel there's some
form of newspeak with regards to security and the Linux kernel. There
is indeed a formalized method to report security-related bugs to the
Linux kernel (emailing security _AT _ kernel _DOT_ org). Yet Linux
developer culture says "all bugs are bugs, regardless of security
impact. A security bug is just another bug."

In this increasingly digital information age, it would be well to
differentiate security versus errata bugs.

I also wonder about stigma regarding introduction of vulnerable code.
We're all humans--we make mistakes from time to time. Our eyes get
tired and we sometimes forget to check a NULL pointer, or sometimes we
forget that +1 for NUL character string termination. I sometimes
wonder whether Linux's culture of treating security bugs as
non-important is due to stigma. Thoughts?

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

On Mon, Jul 06, 2020 at 04:41:40PM -0700, Dave Aitel wrote:
> This is possibly true, although an Android vs iOS comparison here might be
> more apt, from a technical perspective? But what Brad truly nails in his
> talk is an overarching culture around the process of Linux kernel
> development that is decidedly non-optimal when it comes to security.
>
> For example, when proposing security features, a healthy community would
> take a suggested patch and debate "What were you trying to accomplish? What
> is the best way to implement that?" and the Linux community instead has a
> series of formatting gateways, and then a rejection. (According to the talk
> - I am not a Linux kernel dev).
>
> Debating security boundaries and threat models is a sign of a healthy
> community, especially in a structured, non-confrontational way.
>
> -dave
>
>
>
> On Mon, Jul 6, 2020 at 12:06 PM Shawn Webb <shawn.webb () hardenedbsd org>
> wrote:
>
> > On Mon, Jul 06, 2020 at 11:37:13AM -0700, Dave Aitel via Dailydave wrote:
> > > https://www.youtube.com/watch?v=F_Kza6fdkSU
> > >
> > > So I wanted to highlight this talk from Brad Spengler about the state of
> > > Linux security. It's a damning report if you read even a little bit
> > between
> > > the lines. And on many levels. As Halvar points out, Android deliberately
> > > avoided investing what they knew they needed to invest in platform
> > security
> > > in the effort to gather significant early market share, even knowing it
> > > would harm their user-base in a multitude of ways.
> > >
> > > And this kind of philosophical trade off taken by companies filters into
> > > the Linux security ecosystem, creating Ogres of various sorts, like
> > > Calamity Gannon's corruption of various parts of Hyrule. For example,
> > > phones often run on an older Linux kernel, which means there is economic
> > > incentive to backport features and security fixes to those kernels, or
> > > pretend you can.
> > >
> > > Likewise, much of the effort of the Linux security community is focused
> > on
> > > KASLR, which Brad points out, is largely a waste of time.
> > >
> > > He also talks about Syzkiller, automated exploit generation, and a host
> > of
> > > other things. Well worth a listen!
> >
> > It's also hard to innovate without a userland that is tightly
> > integrated with the kernel (like the BSDs). On the BSD side, we're
> > able to ship an entire ecosystem with exploit mitigations applied
> > because a basic userland is shipped and integrated with the kernel.
> >
> > The way in which the BSDs are structured enables innovation across the
> > entire ecosystem. We at HardenedBSD are able to test and deploy
> > exploit mitigations across the base operating system in addition to
> > 33,000+ packages.
> >
> > In addition to Brad's observations, I opine that the fragmentation of
> > Linux has provided a net decrease in security posture.
> >
> > --
> > Shawn Webb
> > Cofounder / Security Engineer
> > HardenedBSD
> >
> > GPG Key ID:          0xFF2E67A277F8E1FA
> > GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
> >
> > https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

Attachment: signature.asc
Description:

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org