Re: [gentoo-security] Kernel Security + KISS - gentoo-security

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] Kernel Security + KISS
Date:	Thu, 21 Feb 2008 13:33:05
Message-Id:	`200802211432.02723.jaervosz@gentoo.org`
In Reply to:	Re: [gentoo-security] Kernel Security + KISS by Eduardo Tongson

1

On Thursday 21 February 2008 13:35:52 Eduardo Tongson wrote:

2

> If no Gentoo developer comes forward, I volunteer myself. Seems

3

> everybody is busy and overworked to even authorize an official team.

4

> Any Gentoo developer who can share their 'a day in the life of the

5

> Gentoo Kernel Security team' experience?

6

7

For those interested try dropping by #gentoo-security on Freenode and talk to 

8

rbu, I think he's spoken with a few interested already.

9

10

After Fosdem this weekend I hope to catch up a bit on the kernel situation.

11

12

--

13

Sune Kloppenborg Jeppesen (Jaervosz)

14

Gentoo Linux Security Team

15

http://security.gentoo.org

16

17

>

18

>   --  ed*eonsec

19

>

20

> On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@×××××××××.net>

21

wrote:

22

> > AFAICS the thing missing is a leader. Someone to make a starting point

23

> >  for the followers to make use of (not necessary inside of gentoo, I

24

> >  believe it can always be integrated later if there are devs enough to

25

> >  pick things up and integrate), a place for him to collect and keep list

26

> >  and contact with interested people (also to keep "me too"-noise from

27

> >  this list).

28

> >

29

> >  This does not even have to be a integrated gentoo solution, am I right?

30

> >  Anybody having a hosting space could host a db with the

31

> >  information/advisories.

32

> >  And the hosting one could let anyone he/she trusts write info to that

33

> >  db.

34

> >  That db could be like "This vournable exists, these are the problems,

35

> >  these are the workarounds/patches and there are no fixed kernel

36

> >  versions/these kernel versions are fixed" where info could be updated as

37

> >  they get along.

38

> >  And anybody ﻿that has the time and skill could write a applications that

39

> >  fetch info from this db about the currently running kernel and presents

40

> >  the user with the text "No known vournables" or "These vournables

41

> >  exists" with links to the information in the db about that advisory.

42

> >  This way a user can run the application, get a message, read the

43

> >  advisories and decide "I need to update to at least this version" or "I

44

> >  do not need to update".

45

> >

46

> >  The thing needed after that is persons to keep this db up to date and

47

> >  maybe bug devs to get fixed versions into portage.

48

> >  But these people needs a central collection point where they could

49

> >  "meet" and start moving things.

50

> >

51

> >  And anybody can bug any dev in bugzilla if a kernel is not fixed, but

52

> >  the chances over-worked devs will notice and be more helpful if you are

53

> >  more helpful with what, when and why this kernel thing should be fixed

54

> >  (i.e. come well prepared).

55

> >

56

> >  tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:

57

> > > Alright how do we proceed to get this team started.

58

> > >

59

> >  >   ed*eonsec

60

> >  >

61

> >  > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> wrote:

62

> >  > >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:

63

> >  > >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:

64

> >  > >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:

65

> >  > >  > > > What specific kernel knowledge is needed to get a Kernel

66

> >  > >  > > > advisory up and running ?

67

> >  > >  > >

68

> >  > >  > > Between becoming aware of a vulnerability in Linux and drafting

69

> >  > >  > > an advisory for one or all kernel sources comes the part where

70

> >  > >  > > you review which versions of which kernel sources are affected

71

> >  > >  > > and unaffected. You also need to pay attention to specifics of

72

> >  > >  > > the added patchsets, which might duplicate vulnerabilities.

73

> >  > >  > >

74

> >  > >  > > Parts of the job can indeed be done without Kernel and C

75

> >  > >  > > knowledge, but some cannot. So if we draft a new kernel

76

> >  > >  > > security *team*, people without C and kernel knowledge are

77

> >  > >  > > helpful -- some others need to have it, though.

78

> >  > >  > >

79

> >  > >  > > Robert

80

> >  > >  >

81

> >  > >  > To be honest, 99% of what is done in the kernel security team can

82

> >  > >  > be done with no C knowledge at all.

83

> >  > >  >

84

> >  > >  > I'm not an expert C person - far from it - but I eventually

85

> >  > >  > became the head of Kernel Security until I retired a few months

86

> >  > >  > ago.

87

> >  > >  >

88

> >  > >  > Most of it is bug handling.  The major problem is a social, not a

89

> >  > >  > technical one.  Because of the manner in which our kernels are

90

> >  > >  > organized, a single vulnerability involves checking upstream

91

> >  > >  > version numbers, coordinating them into our downstream version

92

> >  > >  > numbers for all sources, checking to see if the sources are

93

> >  > >  > effected, figuring out who to CC for the bugs, then harassing

94

> >  > >  > them until they do it.

95

> >  > >  >

96

> >  > >  > Unlike other security sources, any attempt to hardmask the

97

> >  > >  > package is shutdown instantly.  The chaos that would result from

98

> >  > >  > a kernel hardmask, even one of the lesser used ones, caused me to

99

> >  > >  > only successfully order one over my entire career in Gentoo

100

> >  > >  > Kernsec... even though more around 30 would have been needed.  It

101

> >  > >  > is not infrequently that bugs will last six months without any

102

> >  > >  > action coming about them, and users are blissfully unaware.

103

> >  > >  >

104

> >  > >  > I am happy to give my input as the former head of Kernel

105

> >  > >  > Security, but it is my personal opinion that any advances in

106

> >  > >  > kernel security will require the full cooperation of security,

107

> >  > >  > and letting the head of kernel security be able to actually

108

> >  > >  > enforce threats, as that seems to be the only way bugs ever get

109

> >  > >  > resolved.  Pleading didn't work - I tried.

110

> >  > >  >

111

> >  > >  > -Harlan Lieberman-Berg

112

> >  > >  > Gentoo Developer Emeritus

113

> >  > >

114

> >  > >  Every word of what you said is painfully true. The only way to

115

> >  > >  accomplish this would be with an Iron Fist(fail) or a team of ~15

116

> >  > > guys who do nothing but patch and push new kernels and the PR that

117

> >  > > goes along with them every few days.

118

> >  > >  --

119

> >  > >  Ned Ludd <solar@g.o>

120

> >  > >

121

> >  > >

122

> >  > >

123

> >  > >  --

124

> >  > >  gentoo-security@l.g.o mailing list

125

--

126

gentoo-security@l.g.o mailing list

1	On Thursday 21 February 2008 13:35:52 Eduardo Tongson wrote:
2	> If no Gentoo developer comes forward, I volunteer myself. Seems
3	> everybody is busy and overworked to even authorize an official team.
4	> Any Gentoo developer who can share their 'a day in the life of the
5	> Gentoo Kernel Security team' experience?
6
7	For those interested try dropping by #gentoo-security on Freenode and talk to
8	rbu, I think he's spoken with a few interested already.
9
10	After Fosdem this weekend I hope to catch up a bit on the kernel situation.
11
12	--
13	Sune Kloppenborg Jeppesen (Jaervosz)
14	Gentoo Linux Security Team
15	http://security.gentoo.org
16
17	>
18	> -- ed*eonsec
19	>
20	> On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@×××××××××.net>
21	wrote:
22	> > AFAICS the thing missing is a leader. Someone to make a starting point
23	> > for the followers to make use of (not necessary inside of gentoo, I
24	> > believe it can always be integrated later if there are devs enough to
25	> > pick things up and integrate), a place for him to collect and keep list
26	> > and contact with interested people (also to keep "me too"-noise from
27	> > this list).
28	> >
29	> > This does not even have to be a integrated gentoo solution, am I right?
30	> > Anybody having a hosting space could host a db with the
31	> > information/advisories.
32	> > And the hosting one could let anyone he/she trusts write info to that
33	> > db.
34	> > That db could be like "This vournable exists, these are the problems,
35	> > these are the workarounds/patches and there are no fixed kernel
36	> > versions/these kernel versions are fixed" where info could be updated as
37	> > they get along.
38	> > And anybody that has the time and skill could write a applications that
39	> > fetch info from this db about the currently running kernel and presents
40	> > the user with the text "No known vournables" or "These vournables
41	> > exists" with links to the information in the db about that advisory.
42	> > This way a user can run the application, get a message, read the
43	> > advisories and decide "I need to update to at least this version" or "I
44	> > do not need to update".
45	> >
46	> > The thing needed after that is persons to keep this db up to date and
47	> > maybe bug devs to get fixed versions into portage.
48	> > But these people needs a central collection point where they could
49	> > "meet" and start moving things.
50	> >
51	> > And anybody can bug any dev in bugzilla if a kernel is not fixed, but
52	> > the chances over-worked devs will notice and be more helpful if you are
53	> > more helpful with what, when and why this kernel thing should be fixed
54	> > (i.e. come well prepared).
55	> >
56	> > tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:
57	> > > Alright how do we proceed to get this team started.
58	> > >
59	> > > ed*eonsec
60	> > >
61	> > > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@g.o> wrote:
62	> > > > On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
63	> > > > > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
64	> > > > > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
65	> > > > > > > What specific kernel knowledge is needed to get a Kernel
66	> > > > > > > advisory up and running ?
67	> > > > > >
68	> > > > > > Between becoming aware of a vulnerability in Linux and drafting
69	> > > > > > an advisory for one or all kernel sources comes the part where
70	> > > > > > you review which versions of which kernel sources are affected
71	> > > > > > and unaffected. You also need to pay attention to specifics of
72	> > > > > > the added patchsets, which might duplicate vulnerabilities.
73	> > > > > >
74	> > > > > > Parts of the job can indeed be done without Kernel and C
75	> > > > > > knowledge, but some cannot. So if we draft a new kernel
76	> > > > > > security team, people without C and kernel knowledge are
77	> > > > > > helpful -- some others need to have it, though.
78	> > > > > >
79	> > > > > > Robert
80	> > > > >
81	> > > > > To be honest, 99% of what is done in the kernel security team can
82	> > > > > be done with no C knowledge at all.
83	> > > > >
84	> > > > > I'm not an expert C person - far from it - but I eventually
85	> > > > > became the head of Kernel Security until I retired a few months
86	> > > > > ago.
87	> > > > >
88	> > > > > Most of it is bug handling. The major problem is a social, not a
89	> > > > > technical one. Because of the manner in which our kernels are
90	> > > > > organized, a single vulnerability involves checking upstream
91	> > > > > version numbers, coordinating them into our downstream version
92	> > > > > numbers for all sources, checking to see if the sources are
93	> > > > > effected, figuring out who to CC for the bugs, then harassing
94	> > > > > them until they do it.
95	> > > > >
96	> > > > > Unlike other security sources, any attempt to hardmask the
97	> > > > > package is shutdown instantly. The chaos that would result from
98	> > > > > a kernel hardmask, even one of the lesser used ones, caused me to
99	> > > > > only successfully order one over my entire career in Gentoo
100	> > > > > Kernsec... even though more around 30 would have been needed. It
101	> > > > > is not infrequently that bugs will last six months without any
102	> > > > > action coming about them, and users are blissfully unaware.
103	> > > > >
104	> > > > > I am happy to give my input as the former head of Kernel
105	> > > > > Security, but it is my personal opinion that any advances in
106	> > > > > kernel security will require the full cooperation of security,
107	> > > > > and letting the head of kernel security be able to actually
108	> > > > > enforce threats, as that seems to be the only way bugs ever get
109	> > > > > resolved. Pleading didn't work - I tried.
110	> > > > >
111	> > > > > -Harlan Lieberman-Berg
112	> > > > > Gentoo Developer Emeritus
113	> > > >
114	> > > > Every word of what you said is painfully true. The only way to
115	> > > > accomplish this would be with an Iron Fist(fail) or a team of ~15
116	> > > > guys who do nothing but patch and push new kernels and the PR that
117	> > > > goes along with them every few days.
118	> > > > --
119	> > > > Ned Ludd <solar@g.o>
120	> > > >
121	> > > >
122	> > > >
123	> > > > --
124	> > > > gentoo-security@l.g.o mailing list
125	--
126	gentoo-security@l.g.o mailing list

Gentoo Archives: gentoo-security