Announcement

Collapse
No announcement yet.

Linux Kernel security in question

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Linux Kernel security in question

    This article addresses the question of whether the Linux Kernel is secure enough. And what is "enough"?

    http://arstechnica.com/security/2016...-needs-fixing/

    "...
    Worse, the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
    ..."

    Is it time that Lilnux has more attention paid to this possible weak spot? The playing field had changed since Linux was introduced.
    Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

    #2
    Kees Cook has been beating that drum for the last year, and he has made some questionable claims:
    There are, Kees said, one billion Android devices in circulation. Most of them are running 3.4 kernels, with the (still old) 3.10 kernel running a distant second. That, he said, is "completely terrifying." The lifetime of critical security bugs is huge; bugs are often found many years after they have been introduced into the kernel. But attackers are often finding these bugs right away and exploiting them for most of those years while they remain in the kernel.
    There have been some bugs which have been found after years of exposure, but the claim that bad guys have been taking advantage of them all that time is absent proof. Where are the 100,000 Linux zombie bot farms? Where are the thousands, or even hundreds of cases of a long lasting bug being exploited? The last Linux zombie bot farm I read about was found about 10 years ago and it consisted of 700 Linux boxes which had very poor or no root passwords. A team of six bad guys, IIRC, worked a dearjohn password cracker for six months to accumulate that meager farm. Linux boxes are prized as control boxes which feed instructions to thousands of Windows zombies precisely because Linux boxes are so difficult to break into when properly configured. I.E., they have a proper password, their package are up to date, and they have an active, well configured firewall.

    The "got root" bug found two years ago after being in the wild for five years can't be attributed to any breakins I am aware of. The security expert who crowed about this bug did so to claim that Linux was just as insecure as Windows. However, note that "An attacker who can run code of his choice in the kernel can easily promote himself to the all-powerful Linux user called root." Well, to run the "code of your choice in the kernel" you have to have access to the kernel. IOW, it is a local exploit. If you have local access just select the boot to root grub option, change passwords and then reboot. So many of these holes are local exploits, but not all. Heartbleed was not, but it was created by a PhD computer scientist and his doctoral student, who should have known better than to create a simple buffer overflow in SSL and let it wonder around the world for two years before it was discovered. Some suggest they were paid to put that bug in.

    In the CVE database there are listed for 2016 (so far) a total of 102 Linux kernel Vulnerabilities and Exposures. Sixty seven of them are local user exploits. That's a total of 35 non-local exploits in 2016, so far. The Linux kernel is hardly as vulnerable as Windows, which has tens of thousands of exploits per year, and it runs only a fraction of the Internet that Linux runs. And the bad guys are not tripping over exploits left and right and raking in the cash or revealing secrets. The weak link is still social engineering - the part the works the keyboard.

    I'm not against what he wants to do, make the kernel more secure, but he is slandering the work of 5,000 people who contribute to the kernel in order to promote his Kernel_Self_Protection_Project.
    Last edited by GreyGeek; Sep 27, 2016, 08:32 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      For years I've heard the old saw: "llinux doesn't get (pick one) virus, bugs, hacked, worms...

      Based on reported problems, it seems the old saw is almost true.

      Whether that was (past tense) because of lower usage figures compared to Windoze or because it didn't used to be worth hacking because there weren't (past tense) many valuable sets of information stored on Linux systems.

      Now (present tense) there are a lot of valuable data sets running under Linux servers and certainly more individual Linux systems.

      I consider my own data sets to be valuable, but probably not worth the effort to hack my business/home systems. Still, I'd like to know that the Linux kernel is designed to protect my data.

      I think the Linux target has gotten bigger with time.

      As you say, Greygeek, the keyboard operator is the weak link.

      So, should the Linux kernel be made stronger? Does it have adequate security now? I cannot answer the question personally.
      Last edited by TWPonKubuntu; Sep 27, 2016, 08:36 PM. Reason: spelling
      Kubuntu 24.11 64bit under Kernel 6.11.4, Hp Pavilion, 6MB ram. Stay away from all things Google...

      Comment

      Working...
      X