Gentoo Archives: gentoo-security

From: "C." <cbergstrom@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Wed, 20 Feb 2008 19:31:18
Message-Id: 1203535691.6611.178.camel@chaos
In Reply to: Re: [gentoo-security] Kernel Security + KISS by Harlan Lieberman-Berg
1 On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
2 > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
3 > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
4 > > > What specific kernel knowledge is needed to get a Kernel advisory up
5 > > > and running ?
6 > >
7 > > Between becoming aware of a vulnerability in Linux and drafting an advisory
8 > > for one or all kernel sources comes the part where you review which
9 > > versions of which kernel sources are affected and unaffected. You also
10 > > need to pay attention to specifics of the added patchsets, which might
11 > > duplicate vulnerabilities.
12 > >
13 > > Parts of the job can indeed be done without Kernel and C knowledge, but
14 > > some cannot. So if we draft a new kernel security *team*, people without C
15 > > and kernel knowledge are helpful -- some others need to have it, though.
16 > >
17 > > Robert
18 >
19 > To be honest, 99% of what is done in the kernel security team can be done with
20 > no C knowledge at all.
21 >
22 > I'm not an expert C person - far from it - but I eventually became the head of
23 > Kernel Security until I retired a few months ago.
24 >
25 > Most of it is bug handling. The major problem is a social, not a technical
26 > one. Because of the manner in which our kernels are organized, a single
27 > vulnerability involves checking upstream version numbers, coordinating them
28 > into our downstream version numbers for all sources, checking to see if the
29 > sources are effected, figuring out who to CC for the bugs, then harassing
30 > them until they do it.
31 >
32 > Unlike other security sources, any attempt to hardmask the package is shutdown
33 > instantly. The chaos that would result from a kernel hardmask, even one of
34 > the lesser used ones, caused me to only successfully order one over my entire
35 > career in Gentoo Kernsec... even though more around 30 would have been
36 > needed. It is not infrequently that bugs will last six months without any
37 > action coming about them, and users are blissfully unaware.
38 >
39 > I am happy to give my input as the former head of Kernel Security, but it is
40 > my personal opinion that any advances in kernel security will require the
41 > full cooperation of security, and letting the head of kernel security be able
42 > to actually enforce threats, as that seems to be the only way bugs ever get
43 > resolved. Pleading didn't work - I tried.
44
45 Very insightful. thanks.. I've no time to spare at the moment so just
46 trying to brainstorm out loud. Outside of the hardened kernel what and
47 the various foo-kernel what's the benefit of not just playing
48 follow-the-leader. Maybe it's possible to just copy something more well
49 maintained.. RH, Debian.. It would require Kernel security maintain a
50 kernel, but then you'd never have to fight the maintainer when you issue
51 a security fix which was pushed from upstream. RH and friend would even
52 guarantee it doesn't break things to some extent. I'm sure this has
53 been thought of before, but not sure why it's not adopted....
54
55 ./C
56
57 --
58 gentoo-security@l.g.o mailing list