Gentoo Archives: gentoo-security

From: Eduardo Tongson <propolice@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Thu, 21 Feb 2008 13:53:40
Message-Id: b18fbe3c0802210552y36ddf585w14d53b5c6bc21362@mail.gmail.com
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Casey Link
1 Nice plan. I think you are more able to lead. Can we communicate more
2 in email perhaps a google group or list. IRC is not efficient for
3 people in different timezones.
4
5 -- ed*eonsec
6
7 On Thu, Feb 21, 2008 at 9:35 PM, Casey Link <unnamedrambler@×××××.com> wrote:
8 > A couple days ago I discussed (in #gentoo-security) with Robert
9 > (rbu@g.o) a solution
10 > to the Kernel security issue. Robert has a good plan to keep the
11 > bugzilla data in bugzilla, that is, don't take away the essentials
12 > from bugzilla. And that is by implementing a tagging system for each
13 > bug. In the whiteboard field for each bug could go something like so
14 > (this is taken from our IRC convo):
15 > [linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
16 > Which would translate as kernel.org upstream released 2.6.22 with a
17 > fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
18 > 2.6.18-r2 with the patch applied.
19 >
20 > A tool could then be written to parse the bugzilla entries and
21 > generate reports. Then when all the sources have been patched a GLSA
22 > can be released.
23 > I like this idea because all the data stays in bugzilla, so you can go
24 > to bugzilla and get all the information you need about each bug.
25 >
26 > I don't see why this tool cannot be available for users to.. in the
27 > same form that KISS was. I came across these screenshots:
28 > http://dev.gentoo.org/~dsd/misc/kiss1.jpg
29 > http://dev.gentoo.org/~dsd/misc/kiss2.jpg
30 >
31 > What if KISS was an external tool like shown in those pictures, but
32 > parsed the bugzilla entries and generated reports like I talked about
33 > above. Robert's whiteboard tagging system is a great one, but the
34 > system needs a way to view the status of all the sources together and
35 > individually similarly to what is show in those screenshots.. and why
36 > not make this a website? A single GLSA could still be released per bug
37 > once all sources had been patched, but KISS could be a place for users
38 > to go (if they feel so inclined) to get an overall and granular status
39 > report of the various sources in portage.
40 >
41 > Perhaps KISS could offer an email notification option. A user could
42 > "subscribe" to several sources and be notified about their security
43 > status. The user could even specify what sort of information he
44 > wanted: vulnerability report, severity levels, patches released, etc.
45 >
46 > Those are just some thoughts I had. I already tossed my hat in but
47 > I've got medium C experience, and I am pretty experienced with hosting
48 > setups, and simple web development (PHP mainly). I would be willing to
49 > work on something like I described above.. bugzilla parsing, a nice
50 > Web display, etc.
51 >
52 > Casey
53 >
54 >
55 >
56 >
57 > On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@×××××.com> wrote:
58 > > I would like to help as well. I have limited C experience unfortunately,
59 > > and most of that is programming PIC microcontrollers. Been using Gentoo for
60 > > years, and would love to give something back.
61 > >
62 > >
63 > > Robert
64 > >
65 > >
66 > >
67 > >
68 > > On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@×××××.com> wrote:
69 > > > Im interested, no C knowledge but plenty of time, passed the dev exam
70 > > > and a willingness to learn. It's been on my agenda for a long time.
71 > > >
72 > > >
73 > > >
74 > > >
75 > > > nick loeve wrote:
76 > > > > I can help also... i have limited free time but am willing to put in
77 > > > > some hours...
78 > > > >
79 > > > > I have medium C knowledge, reasonable kernel experience, and also a
80 > > > > strong linux background
81 > > > >
82 > > > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
83 > > > > <arthur@××××××××××××××.br> wrote:
84 > > > >> I'm interested... little C knowledge, very curious about kernel, strong
85 > > > >> linux background...
86 > > > >>
87 > > > >> is there another prereq to join this?
88 > > > >>
89 > > > >>
90 > > > >>
91 > > > >> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
92 > > > >> > I am interested too :)
93 > > > >> >
94 > > > >> > No C knowledge but strong linux background and very organized guy.
95 > > > >> >
96 > > > >> > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
97 > > > >> > > It would probably help if we knew how many people were interested.
98 > > > >> > >
99 > > > >> > > I am. +1
100 > > > >> > >
101 > > > >> > > Casey
102 > > > >> > >
103 > > > >> > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
104 > > <propolice@×××××.com> wrote:
105 > > > >> > > > Alright how do we proceed to get this team started.
106 > > > >> > > >
107 > > > >> > > > ed*eonsec
108 > > > >> > > >
109 > > > >> > > >
110 > > > >> > > >
111 > > > >> > > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o>
112 > > wrote:
113 > > > >> > > > >
114 > > > >> > > > >
115 > > > >> > > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
116 > > wrote:
117 > > > >> > > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
118 > > > >> > > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
119 > > > >> > > > > > > > What specific kernel knowledge is needed to get a
120 > > Kernel advisory up
121 > > > >> > > > > > > > and running ?
122 > > > >> > > > > > >
123 > > > >> > > > > > > Between becoming aware of a vulnerability in Linux and
124 > > drafting an advisory
125 > > > >> > > > > > > for one or all kernel sources comes the part where you
126 > > review which
127 > > > >> > > > > > > versions of which kernel sources are affected and
128 > > unaffected. You also
129 > > > >> > > > > > > need to pay attention to specifics of the added
130 > > patchsets, which might
131 > > > >> > > > > > > duplicate vulnerabilities.
132 > > > >> > > > > > >
133 > > > >> > > > > > > Parts of the job can indeed be done without Kernel and C
134 > > knowledge, but
135 > > > >> > > > > > > some cannot. So if we draft a new kernel security
136 > > *team*, people without C
137 > > > >> > > > > > > and kernel knowledge are helpful -- some others need to
138 > > have it, though.
139 > > > >> > > > > > >
140 > > > >> > > > > > > Robert
141 > > > >> > > > > >
142 > > > >> > > > > > To be honest, 99% of what is done in the kernel security
143 > > team can be done with
144 > > > >> > > > > > no C knowledge at all.
145 > > > >> > > > > >
146 > > > >> > > > > > I'm not an expert C person - far from it - but I
147 > > eventually became the head of
148 > > > >> > > > > > Kernel Security until I retired a few months ago.
149 > > > >> > > > > >
150 > > > >> > > > > > Most of it is bug handling. The major problem is a
151 > > social, not a technical
152 > > > >> > > > > > one. Because of the manner in which our kernels are
153 > > organized, a single
154 > > > >> > > > > > vulnerability involves checking upstream version numbers,
155 > > coordinating them
156 > > > >> > > > > > into our downstream version numbers for all sources,
157 > > checking to see if the
158 > > > >> > > > > > sources are effected, figuring out who to CC for the bugs,
159 > > then harassing
160 > > > >> > > > > > them until they do it.
161 > > > >> > > > > >
162 > > > >> > > > > > Unlike other security sources, any attempt to hardmask the
163 > > package is shutdown
164 > > > >> > > > > > instantly. The chaos that would result from a kernel
165 > > hardmask, even one of
166 > > > >> > > > > > the lesser used ones, caused me to only successfully order
167 > > one over my entire
168 > > > >> > > > > > career in Gentoo Kernsec... even though more around 30
169 > > would have been
170 > > > >> > > > > > needed. It is not infrequently that bugs will last six
171 > > months without any
172 > > > >> > > > > > action coming about them, and users are blissfully
173 > > unaware.
174 > > > >> > > > > >
175 > > > >> > > > > > I am happy to give my input as the former head of Kernel
176 > > Security, but it is
177 > > > >> > > > > > my personal opinion that any advances in kernel security
178 > > will require the
179 > > > >> > > > > > full cooperation of security, and letting the head of
180 > > kernel security be able
181 > > > >> > > > > > to actually enforce threats, as that seems to be the only
182 > > way bugs ever get
183 > > > >> > > > > > resolved. Pleading didn't work - I tried.
184 > > > >> > > > > >
185 > > > >> > > > > > -Harlan Lieberman-Berg
186 > > > >> > > > > > Gentoo Developer Emeritus
187 > > > >> > > > >
188 > > > >> > > > >
189 > > > >> > > > > Every word of what you said is painfully true. The only way
190 > > to
191 > > > >> > > > > accomplish this would be with an Iron Fist(fail) or a team
192 > > of ~15 guys
193 > > > >> > > > > who do nothing but patch and push new kernels and the PR
194 > > that goes along
195 > > > >> > > > > with them every few days.
196 > > > >> > > > > --
197 > > > >> > > > > Ned Ludd <solar@g.o>
198 > > > >> > > > >
199 > > > >> > > > >
200 > > > >> > > > >
201 > > > >> > > > > --
202 > > > >> > > > > gentoo-security@l.g.o mailing list
203 > > > >> > > > >
204 > > > >> > > > >
205 > > > >> > > > --
206 > > > >> > > > gentoo-security@l.g.o mailing list
207 > > > >> > > >
208 > > > >> > > >
209 > > > >> >
210 > > > >> > --
211 > > > >> > gentoo-security@l.g.o mailing list
212 > > > >>
213 > > > >> --
214 > > > >> Arthur Bispo de Castro
215 > > > >> Laboratório de Administração e Segurança (LAS/IC)
216 > > > >> Universidade Estadual de Campinas (UNICAMP)
217 > > > >> --
218 > > > >>
219 > > > >>
220 > > > >> gentoo-security@l.g.o mailing list
221 > > > >>
222 > > > >>
223 > > > >
224 > > > >
225 > > > >
226 > > >
227 > > > --
228 > > > gentoo-security@l.g.o mailing list
229 > > >
230 > > >
231 > >
232 > >
233 > --
234 >
235 >
236 > gentoo-security@l.g.o mailing list
237 >
238 >

Replies

Subject Author
Re: [gentoo-security] Kernel Security + KISS George Prowse <cokehabit@×××××.com>