Re: [gentoo-security] Kernel Security + KISS - gentoo-security

From:	Eduardo Tongson <propolice@×××××.com>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] Kernel Security + KISS
Date:	Thu, 21 Feb 2008 12:37:17
Message-Id:	`b18fbe3c0802210435r4f64119dsa2b437832f145159@mail.gmail.com`
In Reply to:	Re: [gentoo-security] Kernel Security + KISS by Peter Hjalmarsson

1

If no Gentoo developer comes forward, I volunteer myself. Seems

2

everybody is busy and overworked to even authorize an official team.

3

Any Gentoo developer who can share their 'a day in the life of the

4

Gentoo Kernel Security team' experience?

5

6

  --  ed*eonsec

7

8

On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@×××××××××.net> wrote:

9

> AFAICS the thing missing is a leader. Someone to make a starting point

10

>  for the followers to make use of (not necessary inside of gentoo, I

11

>  believe it can always be integrated later if there are devs enough to

12

>  pick things up and integrate), a place for him to collect and keep list

13

>  and contact with interested people (also to keep "me too"-noise from

14

>  this list).

15

>

16

>  This does not even have to be a integrated gentoo solution, am I right?

17

>  Anybody having a hosting space could host a db with the

18

>  information/advisories.

19

>  And the hosting one could let anyone he/she trusts write info to that

20

>  db.

21

>  That db could be like "This vournable exists, these are the problems,

22

>  these are the workarounds/patches and there are no fixed kernel

23

>  versions/these kernel versions are fixed" where info could be updated as

24

>  they get along.

25

>  And anybody ﻿that has the time and skill could write a applications that

26

>  fetch info from this db about the currently running kernel and presents

27

>  the user with the text "No known vournables" or "These vournables

28

>  exists" with links to the information in the db about that advisory.

29

>  This way a user can run the application, get a message, read the

30

>  advisories and decide "I need to update to at least this version" or "I

31

>  do not need to update".

32

>

33

>  The thing needed after that is persons to keep this db up to date and

34

>  maybe bug devs to get fixed versions into portage.

35

>  But these people needs a central collection point where they could

36

>  "meet" and start moving things.

37

>

38

>  And anybody can bug any dev in bugzilla if a kernel is not fixed, but

39

>  the chances over-worked devs will notice and be more helpful if you are

40

>  more helpful with what, when and why this kernel thing should be fixed

41

>  (i.e. come well prepared).

42

>

43

>

44

>  tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:

45

>

46

>

47

> > Alright how do we proceed to get this team started.

48

>  >

49

>  >   ed*eonsec

50

>  >

51

>  > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> wrote:

52

>  > >

53

>  > >

54

>  > >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:

55

>  > >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:

56

>  > >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:

57

>  > >  > > > What specific kernel knowledge is needed to get a Kernel advisory up

58

>  > >  > > > and running ?

59

>  > >  > >

60

>  > >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory

61

>  > >  > > for one or all kernel sources comes the part where you review which

62

>  > >  > > versions of which kernel sources are affected and unaffected. You also

63

>  > >  > > need to pay attention to specifics of the added patchsets, which might

64

>  > >  > > duplicate vulnerabilities.

65

>  > >  > >

66

>  > >  > > Parts of the job can indeed be done without Kernel and C knowledge, but

67

>  > >  > > some cannot. So if we draft a new kernel security *team*, people without C

68

>  > >  > > and kernel knowledge are helpful -- some others need to have it, though.

69

>  > >  > >

70

>  > >  > > Robert

71

>  > >  >

72

>  > >  > To be honest, 99% of what is done in the kernel security team can be done with

73

>  > >  > no C knowledge at all.

74

>  > >  >

75

>  > >  > I'm not an expert C person - far from it - but I eventually became the head of

76

>  > >  > Kernel Security until I retired a few months ago.

77

>  > >  >

78

>  > >  > Most of it is bug handling.  The major problem is a social, not a technical

79

>  > >  > one.  Because of the manner in which our kernels are organized, a single

80

>  > >  > vulnerability involves checking upstream version numbers, coordinating them

81

>  > >  > into our downstream version numbers for all sources, checking to see if the

82

>  > >  > sources are effected, figuring out who to CC for the bugs, then harassing

83

>  > >  > them until they do it.

84

>  > >  >

85

>  > >  > Unlike other security sources, any attempt to hardmask the package is shutdown

86

>  > >  > instantly.  The chaos that would result from a kernel hardmask, even one of

87

>  > >  > the lesser used ones, caused me to only successfully order one over my entire

88

>  > >  > career in Gentoo Kernsec... even though more around 30 would have been

89

>  > >  > needed.  It is not infrequently that bugs will last six months without any

90

>  > >  > action coming about them, and users are blissfully unaware.

91

>  > >  >

92

>  > >  > I am happy to give my input as the former head of Kernel Security, but it is

93

>  > >  > my personal opinion that any advances in kernel security will require the

94

>  > >  > full cooperation of security, and letting the head of kernel security be able

95

>  > >  > to actually enforce threats, as that seems to be the only way bugs ever get

96

>  > >  > resolved.  Pleading didn't work - I tried.

97

>  > >  >

98

>  > >  > -Harlan Lieberman-Berg

99

>  > >  > Gentoo Developer Emeritus

100

>  > >

101

>  > >

102

>  > >  Every word of what you said is painfully true. The only way to

103

>  > >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys

104

>  > >  who do nothing but patch and push new kernels and the PR that goes along

105

>  > >  with them every few days.

106

>  > >  --

107

>  > >  Ned Ludd <solar@g.o>

108

>  > >

109

>  > >

110

>  > >

111

>  > >  --

112

>  > >  gentoo-security@l.g.o mailing list

113

>  > >

114

>  > >

115

>

Gentoo Archives: gentoo-security

Replies

1	If no Gentoo developer comes forward, I volunteer myself. Seems
2	everybody is busy and overworked to even authorize an official team.
3	Any Gentoo developer who can share their 'a day in the life of the
4	Gentoo Kernel Security team' experience?
5
6	-- ed*eonsec
7
8	On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@×××××××××.net> wrote:
9	> AFAICS the thing missing is a leader. Someone to make a starting point
10	> for the followers to make use of (not necessary inside of gentoo, I
11	> believe it can always be integrated later if there are devs enough to
12	> pick things up and integrate), a place for him to collect and keep list
13	> and contact with interested people (also to keep "me too"-noise from
14	> this list).
15	>
16	> This does not even have to be a integrated gentoo solution, am I right?
17	> Anybody having a hosting space could host a db with the
18	> information/advisories.
19	> And the hosting one could let anyone he/she trusts write info to that
20	> db.
21	> That db could be like "This vournable exists, these are the problems,
22	> these are the workarounds/patches and there are no fixed kernel
23	> versions/these kernel versions are fixed" where info could be updated as
24	> they get along.
25	> And anybody that has the time and skill could write a applications that
26	> fetch info from this db about the currently running kernel and presents
27	> the user with the text "No known vournables" or "These vournables
28	> exists" with links to the information in the db about that advisory.
29	> This way a user can run the application, get a message, read the
30	> advisories and decide "I need to update to at least this version" or "I
31	> do not need to update".
32	>
33	> The thing needed after that is persons to keep this db up to date and
34	> maybe bug devs to get fixed versions into portage.
35	> But these people needs a central collection point where they could
36	> "meet" and start moving things.
37	>
38	> And anybody can bug any dev in bugzilla if a kernel is not fixed, but
39	> the chances over-worked devs will notice and be more helpful if you are
40	> more helpful with what, when and why this kernel thing should be fixed
41	> (i.e. come well prepared).
42	>
43	>
44	> tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:
45	>
46	>
47	> > Alright how do we proceed to get this team started.
48	> >
49	> > ed*eonsec
50	> >
51	> > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> wrote:
52	> > >
53	> > >
54	> > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
55	> > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
56	> > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
57	> > > > > > What specific kernel knowledge is needed to get a Kernel advisory up
58	> > > > > > and running ?
59	> > > > >
60	> > > > > Between becoming aware of a vulnerability in Linux and drafting an advisory
61	> > > > > for one or all kernel sources comes the part where you review which
62	> > > > > versions of which kernel sources are affected and unaffected. You also
63	> > > > > need to pay attention to specifics of the added patchsets, which might
64	> > > > > duplicate vulnerabilities.
65	> > > > >
66	> > > > > Parts of the job can indeed be done without Kernel and C knowledge, but
67	> > > > > some cannot. So if we draft a new kernel security team, people without C
68	> > > > > and kernel knowledge are helpful -- some others need to have it, though.
69	> > > > >
70	> > > > > Robert
71	> > > >
72	> > > > To be honest, 99% of what is done in the kernel security team can be done with
73	> > > > no C knowledge at all.
74	> > > >
75	> > > > I'm not an expert C person - far from it - but I eventually became the head of
76	> > > > Kernel Security until I retired a few months ago.
77	> > > >
78	> > > > Most of it is bug handling. The major problem is a social, not a technical
79	> > > > one. Because of the manner in which our kernels are organized, a single
80	> > > > vulnerability involves checking upstream version numbers, coordinating them
81	> > > > into our downstream version numbers for all sources, checking to see if the
82	> > > > sources are effected, figuring out who to CC for the bugs, then harassing
83	> > > > them until they do it.
84	> > > >
85	> > > > Unlike other security sources, any attempt to hardmask the package is shutdown
86	> > > > instantly. The chaos that would result from a kernel hardmask, even one of
87	> > > > the lesser used ones, caused me to only successfully order one over my entire
88	> > > > career in Gentoo Kernsec... even though more around 30 would have been
89	> > > > needed. It is not infrequently that bugs will last six months without any
90	> > > > action coming about them, and users are blissfully unaware.
91	> > > >
92	> > > > I am happy to give my input as the former head of Kernel Security, but it is
93	> > > > my personal opinion that any advances in kernel security will require the
94	> > > > full cooperation of security, and letting the head of kernel security be able
95	> > > > to actually enforce threats, as that seems to be the only way bugs ever get
96	> > > > resolved. Pleading didn't work - I tried.
97	> > > >
98	> > > > -Harlan Lieberman-Berg
99	> > > > Gentoo Developer Emeritus
100	> > >
101	> > >
102	> > > Every word of what you said is painfully true. The only way to
103	> > > accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
104	> > > who do nothing but patch and push new kernels and the PR that goes along
105	> > > with them every few days.
106	> > > --
107	> > > Ned Ludd <solar@g.o>
108	> > >
109	> > >
110	> > >
111	> > > --
112	> > > gentoo-security@l.g.o mailing list
113	> > >
114	> > >
115	>