Weekly Edition
Return to the Kernel page
| |||||||||||||
Opening up kernel security bug handlingThe reporting and handling of security issues is a tricky proposition. There are numerous competing interests to try to balance, and a general tendency toward secrecy that can complicate things further. Thus it is not surprising that kernel developers are discussing security handling on the Kernel Summit discussion mailing list (ksummit-2013-discuss). It seems likely that discussion will pick up again at the summit itself, which will be held in Edinburgh, October 23-25. James Bottomley kicked off the discussion by noting that several recent fixes had gone into the kernel without following the normal process because they were "security fixes". Given that some of those fixes caused problems of various sorts, he is concerned about circumventing the process simply because the patches fix security issues:
In both cases we had commits with cryptic messages, little explanation
and practically no review all in the name of security.
Our core processes for accepting code require transparency, review and testing. Secrecy in getting code into the kernel is therefore fundamentally breaking this and risking the kinds of problems we see in each of the instances. Bottomley would like to explore whether security vulnerabilities need to be handled in secret at all. Given that he thinks that may not be popular, looking into what can be done to inject more transparency into the process would be a reasonable alternative. Part of his theory is that "security people" who "love secrecy" are running the vulnerability-handling process. For example, the closed kernel security mailing list (security@kernel.org) is either made up of "security officers" (according to Documentation/SecurityBugs) or "'normal' kernel developers" (according to Greg Kroah-Hartman). There is no inherent interest in secrecy by the participants on that list, Kroah-Hartman said, though he did agree that posting a list of the members of security@kernel.org—which has not yet happened—would help to make things more transparent. The relationship between the kernel security list and the linux-distros mailing list (a closed list for distribution security concerns—the successor to vendor-sec) is also a bit murky, which could use some clearing up, Bottomley said. A big part of the problem is that there are a few different constituencies to try to satisfy, including distributions (some of which, like enterprise distributions, may have additional needs or wants), users (most of whom get their kernel from a distributor or device maker), security researchers (who sometimes like to make a big splash with their findings), and so on. While it might be tempting to dismiss the security researchers as perpetrators of what Linus Torvalds likes to call "the security circus", it is important to include them. They are often the ones who find vulnerabilities; annoying them often results in them failing to report what they find, sadly. Secrecy in vulnerability handling may be important to the enterprise distributions for other reasons, as Stephen Hemminger said. Security vulnerabilities and response time are often used as a "sales" tool in those markets, so that may lead to a push for more secrecy:
It seems to me that the secrecy is more about avoiding sensationalist
news reports that might provide FUD to competitors.
For the enterprise products this kind of FUD might impact buying
decisions and even the financial markets.
Torvalds's practice of hiding the security implications of patches also plays a role here. He wants to mask vulnerabilities so that "black hats" cannot easily grep them from commit logs, but as James Morris pointed out, that's not really effective: "The cryptic / silent fixes are really only helping the bad guys. They are watching these commits and doing security analysis on them." It seems unlikely (though perhaps not completely impossible) that Torvalds would change his mind on the issue, so various ideas on collecting known security information correlated with the commit(s) that fixed them were batted around. Clearly, some information about security implications only comes to light after the commit has been made—sometimes long after—so there is a need to collect it separately in any case. Kees Cook described some of the information that could be collected, while Andy Lutomirski expanded on the idea by suggesting separate CVE files stored in the kernel tree. The idea seemed fairly popular; others chimed in with suggestions for collaborating with Debian and/or the linux-distros mailing list participants. In a separate sub-thread, Lutomirski created a template for how the information could be stored. Cook concurred and suggested that the files could live under Documentation/CVEs or something similar. It is clear that there is an interest in having more data available on security vulnerabilities and fixes in the kernel, so that could lead to a lively discussion in October. Some seem to have already started down the path of more openness in the security reporting realm. Lutomirski recently publicly posted a fix that was clearly marked as a security fix from the outset. Cook did much the same with a list of vulnerabilities in the kernel's human interface device (HID) code. Exploiting the HID bugs requires physical access and specialized devices, but that may be part of the threat model for certain users. These aren't the first reports of this kind; others have been made from time to time. In fact, certain subsystems (networking, in particular) essentially never use the closed list and prefer to work on security problems and fixes in the open. An even more recent example comes from Wannes Rombouts's report of a networking security hole (use after free), which was referred to the netdev mailing list by security@kernel.org. The implications of the bug were not completely clear (either to Rombouts or to Hemminger, who replied), but Ben Hutchings recognized that user namespaces could make the problem more widespread (when and if they are enabled in most kernels anyway). Though it is networking related—thus the referral to netdev, presumably—this is the kind of vulnerability that could have been handled behind closed doors. But because it was posted to an open list, the full implications of the problem were discovered. In addition, for this bug (as well as for Lutomirski's and Cook's bugs), those affected have the ability to find out about the problems and either patch their kernels or otherwise mitigate the problem. And that is another advantage of openness. (Log in to post comments)
Opening up kernel security bug handling Posted Sep 12, 2013 9:10 UTC (Thu) by ortalo (subscriber, #4654) [Link]
From my own experience, these discussions frequently omit some (for me) key issues.
First, more efforts should be put into *avoiding* introducing vulnerabilities than into removing them. What about prevention (and/or a priori mitigation actions): shouldn't it deserve more attention in the *first* place?
Of course, some vulnerabilites will occur anyway. But then, I would not manage them identically. IMO, there is always a need for severity evaluation of a specific vulnerability and depending on the severity you may decide on very different courses for action (note that severity may even depend on affected endusers).
Why do you think I read LWN's security page? ;-)
Opening up kernel security bug handling Posted Sep 12, 2013 9:28 UTC (Thu) by pabs (subscriber, #43278) [Link]
If Linus could be convinced to run trinity over incoming patches that might a start.
Opening up kernel security bug handling Posted Sep 12, 2013 9:33 UTC (Thu) by pabs (subscriber, #43278) [Link]
I wonder if using git notes in a particular format would be a better way to do things, you could tag which commit introduced a particular CVE and which fixed it as well as putting Fixes: CVE-XXXX-XXXX in the commit log.
Opening up kernel security bug handling Posted Sep 15, 2013 23:09 UTC (Sun) by error27 (subscriber, #8346) [Link]
The real problem is that most bugs do not get a CVE applied. There are three ways that CVEs are assigned.
1) If a bug is reported to security@kernel.org then someone from there is supposed to forward it to linux-distros and it gets a CVE. There was a gap where this wasn't happening but now it is.
2) Another way bugs get a CVE is if an outside security researcher finds it. Normally security researchers report the bug themselves to oss-security and get a CVE.
3) The last way that bugs get a CVE is if Kees Cook (Google), Petr Matousek (Redhat) or Prasad J Pandit (Redhat) see it going into -stable and flag it.
To double check my impressions I have looked at the first 20 kernel CVEs from this year. Here are the CVEs and the reporter.
CVE-2013-0160 vladz
There aren't any from the first category in this list because the security@kernel.org to linux-distros liaison seems to have been AWOL. These are two private lists and at the time only one person was on both. Since last month the Redhat people and Kees have taken over that job.
There are 6 CVEs which were reported by security researchers.
The other 14 CVEs fall in under the last category where Kees, P J P or Petr spotted the bug.
What you don't see is ordinary kernel devs and maintainers requesting CVEs. This would probably have looked a little better if the liaison between the two private lists had been working better. But in general kernel devs just tag their patch for -stable and that's the end. We will see if that changes during the kernel summit.
Opening up kernel security bug handling Posted Sep 15, 2013 23:35 UTC (Sun) by spender (subscriber, #23067) [Link]
> The other 14 CVEs fall in under the last category where Kees, P J P or Petr spotted the bug.
Or more often than not, spotted them in my changelogs or from me talking about them in public on IRC or Twitter ;) (sometimes for weeks, as in the case of the MSR vuln) Also explains much of the missing 4) Patch not marked for -stable but somehow gets a CVE anyway
-Brad
Opening up kernel security bug handling Posted Sep 16, 2013 7:00 UTC (Mon) by error27 (subscriber, #8346) [Link]
True. Also Redhat customers sometimes report security bugs and Redhat developers sometimes flag a bug as security related.
Opening up kernel security bug handling Posted Sep 17, 2013 2:37 UTC (Tue) by kurtseifried (guest, #57307) [Link]
It's not like we've made it hard to get CVE's, I've been at Red Hat for 2 years now (as of last week), took over CVE assignments early on.
http://people.redhat.com/kseifrie/CVE-OpenSource-Request-...
the afore mentioned methods will work to get CVEs, you can also request them privately (but for linux kernel stuff especially the distros@ list is much preferred as this also ensures all the large Linux vendors get notified.
Opening up kernel security bug handling Posted Sep 17, 2013 12:27 UTC (Tue) by error27 (subscriber, #8346) [Link]
It's not clear why more kernel developers don't file for CVEs.
One reason is maybe that people prefer silent fixes.
One thing is that maintainers already have enough things to do. It's ridiculous to imagine that Greg K-H is going to do all the security analysis by himself. Anyone can file for CVEs if the want to. Greg thinks that distros already do that job and are able to understand which -stable patches have security impacts.
As a kernel contributor, I decided I would let the individual maintainers decide for themselves how they want to handle security bugs. I always spell out the implications. So far no maintainers have ever filed for a CVE but occasionally P J P will tag one of my patches.
A lot of the time, I don't know the security implications myself. Which parts of the code are root only? Is an off-by-one check just a sanity check and can't ever be triggered? If we read one space beyond the end of the array is that a problem?
Vanilla Kernel users are still on their own Posted Sep 13, 2013 14:04 UTC (Fri) by giggls (subscriber, #48434) [Link]
Back in 2010 I wrote a rant in my blog about the subject:
http://blog.gegg.us/2010/09/when-running-kernel-org-kerne...
Now in 2013 I still need to decide based on phrases like "must upgrade" oder "should upgrade" if minor kernel updates are relevant for me or not.
IMO, the perfect solution would be a tool e.g. run ba a cronjob which checks a running kernels version and .config telling me if I have a kernel vulnerable to some known security related bug.
Sven
Vanilla Kernel users are still on their own Posted Sep 13, 2013 15:47 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
as someone who has been running the vanilla kernels in production since the 1.3 days, let me say that trying to look at phrases like "must upgrade" or "should upgrade" to decide is meaningless. There is no rigour in deciding which phrase to use, so you are trying to extract meaning where there was no meaning put there in the first place. you may as well roll dice and decide.
If you are running the vanilla kernel, you need to either plan to upgrade to every version, live with the fact that there are vulnerabilities that you haven't patched, or look at the list of patches to see if there are patches to anything that you have compiled in to your kernel (which is why you should have a minimal config so that you can ignore the vast majority of patches as not being relevant to your config)
Now, I'll point out that if you are running a distro patch, you have the exact same problem of running a system with bugs (including security bugs) that have been fixed upstream, you just don't have the ability to do anything about it. And the distro kernels are very much the opposite of the minimal config that lets you not worry about most patches, they tend to compile in every possible option.
Vanilla Kernel users are still on their own Posted Sep 13, 2013 18:24 UTC (Fri) by BenHutchings (subscriber, #37955) [Link] Now, I'll point out that if you are running a distro patch, you have the exact same problem of running a system with bugs (including security bugs) that have been fixed upstream, you just don't have the ability to do anything about it. And the distro kernels are very much the opposite of the minimal config that lets you not worry about most patches, they tend to compile in every possible option. Yes, this can be a problem. In Debian we've made some attempts to reduce the attack surface while still providing features for those who want them. For example, I've patched out the module aliases for the less widely used and tested network address families so that they won't be loaded just because a user called socket(AF_VULNERABLE, ...).
Vanilla Kernel users are still on their own Posted Sep 13, 2013 18:17 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]
If you're referring to stable update announcements, the difference between 'should upgrade' and 'must upgrade' is that my script uses a less prescriptive template message than Greg. That's all there is to it.
The only time you're likely to see a different message in the announcement is when the previous stable update caused a regression for some configurations and this one fixes that single regression.
|
|||||||||||||