[Cryptography] Use Linux for its security

Jason Cooper cryptography at lakedaemon.net
Thu Sep 29 10:30:06 EDT 2016


Hi Jerry,

On Wed, Sep 28, 2016 at 12:39:15PM -0400, Jerry Leichter wrote:
...
> >> "Critical and high-severity security bugs in the upstream kernel
> >> have lifespans from 3.3 to 6.4 years between commit and discovery."
> > 
> > And what are the alternatives? Use Apple for its security?
> > 
> It's worth reading the talks and articles linked to from the article I
> referred to
> (http://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/).
> 
> The fundamental criticism is that Linux is way behind the times:  It's
> still trying to squish one security bug at a time, rather than using
> more modern techniques that close off entire classes of attacks, even
> if no specific ones have been identified; or like ASLR that make
> exploits much more difficult even if attacks are found.  None of these
> is perfect, but they raise the bar.  And ... Linus has explicitly
> rejected them, because they cost you raw performance.

Please don't mindlessly pile on after a poorly researched,
sensationalist article. :-(

Kees (the speaker giving the referenced talk) is leading the Kernel
Self-Protection Project.  He's not saying "Linux sucks" as the headline
implies, he's clearly defining the problem in order to justify the
project's purpose.

  http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Not that you could gather that from the article. :-/

And Kees has recently started doing blog posts about the features that
have been merged into mainline:

  v4.3 https://outflux.net/blog/archives/2016/09/26/security-things-in-linux-v4-3/
  v4.4 https://outflux.net/blog/archives/2016/09/27/security-things-in-linux-v4-4/
  v4.5 https://outflux.net/blog/archives/2016/09/28/security-things-in-linux-v4-5/

For reference, v4.8 is most likely going to be released this Sunday, and
the average time between releases is 72 days.  So, this clearly isn't
something new, nor is it unaddressed.  It's a well supported
work-in-progress.

You can find the mailing list here:

  http://www.openwall.com/lists/kernel-hardening/

thx,

Jason.


More information about the cryptography mailing list