User: Password:
|
|
Subscribe / Log in / New account

Tightening security: Time to prioritize it!!

Tightening security: Time to prioritize it!!

Posted Jun 28, 2012 15:31 UTC (Thu) by david.a.wheeler (subscriber, #72896)
Parent article: Tightening security: not for the impatient

Congrats to Kees Cook, who patiently managed to get this in.

But the slow pace of getting security-tightening mechanisms into the kernel is embarrassing.

It's absurd to wait until "all applications as libraries are perfect" as a security strategy. We need a "plan B". A kernel cannot prevent all errors from becoming security vulnerabilities, but where the kernel can reasonably prevent them or reduce their effects, it should do so.

We should be making security-tightening measures a high priority, not something that's done as a last resort. We should be searching for those mechanisms, not trying to prevent their inclusion.


(Log in to post comments)

Tightening security: Time to prioritize it!!

Posted Jun 29, 2012 14:50 UTC (Fri) by spender (subscriber, #23067) [Link]

> We should be searching for those mechanisms

For those without horse blinders:
http://www.grsecurity.net/

Kick your shoes off, prop your feet up, and have a margarita or two. Reward yourself for a job well done!

-Brad

Tightening security: Time to prioritize it!!

Posted Jun 29, 2012 19:14 UTC (Fri) by utoddl (subscriber, #1232) [Link]

Okay, I have no familiarity with grsecurity, but that their entire site seems to be php based made me wince a little.

Tightening security: Time to prioritize it!!

Posted Jun 30, 2012 1:31 UTC (Sat) by spender (subscriber, #23067) [Link]

I suppose you prefer the OpenBSD camp and their "security through complete lack of features"? What kind of security system would it be if it couldn't withstand running the same software nearly everyone else does?

Regardless, it seems to be working out a lot better for us than whatever kernel.org has been running ;)

It's clear you have no familiarity with grsecurity: having your head in the sand for a decade speaks volumes about your security knowledge.

Not really sure why people like yourself feel the need to reply publicly just to expose your own ignorance to the world.

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 11:52 UTC (Sun) by roblucid (subscriber, #48964) [Link]

grsecurity has been offered by some distro's and not others, so the original point made in comment was reasonable; it does not have universal acceptance. There are often competing approaches and implementations of ideas, some developers work better with the LKML community than others so tend to have code accepted where others have failed.

The last sentence was not necessary, a personal comment detracting from the technical point point.

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 12:40 UTC (Sun) by spender (subscriber, #23067) [Link]

You should look again at the comment I was actually replying to (it seems you paired it up with a different one). If you think *that* idiotic one-liner was "reasonable", more power to you.

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 1, 2012 14:35 UTC (Sun) by man_ls (guest, #15091) [Link]

Granted, the one-liner was a bit misleading; the same comment could have been made for many other things and be equally meaningless. Just for fun:
I have no familiarity with github, but that their entire site seems to be Rails-based made me wince a little.
I have no familiarity with Red Hat, but that their entire distro seems to be Linux-based made me wince a little.
I have no familiarity with eBay, but that their entire site seems to be IIS-based made me wince a little.
(The last one made me wince too, but hey.)

Anyway I think you (Brad Spender) can do better than insult someone in public. This kind of derision tells more about you than about the original poster.

Tightening security: Time to prioritize it!!

Posted Jul 11, 2012 21:21 UTC (Wed) by BenHutchings (subscriber, #37955) [Link]

spender doesn't want distributions to package grsecurity, as its security improvements might be compromised by other patches they apply. I am quite happy to oblige him in this regard.

Tightening security: Time to prioritize it!!

Posted Jul 12, 2012 12:26 UTC (Thu) by spender (subscriber, #23067) [Link]

Ben seems to be referring to my only public comment on the Debian list regarding packaging grsecurity. For the others reading, here's my comment in its entirety:
http://lists.debian.org/debian-kernel/2012/01/msg01165.html

Anyone is free to do what they want, of course. I just don't recommend the use of such kernels, as over the years I've noticed several things:

1) Our development is very active, yet any 3rd-party packaging has always lagged (often quite badly). In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.
2) Security isn't obtained by lifting individual features, and you can't just toss some code into a codebase and claim it works as intended just because it applies cleanly. I'll be giving a talk in October at H2HC where in part I'll talk about some security features that were ripped from grsecurity and submitted upstream, then neglected to the point where they no longer do what they claim.
3) When it comes to security features, I argue the same as in Plato's "Ion", that a security researcher with kernel development experience would know best how it should be merged to preserve its integrity. Not a kernel developer lacking security knowledge, and definitely not someone just testing to see if two codebases compile when merged.

I don't think any of the above is unreasonable. BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

-Brad

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 1:36 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

In fact just yesterday I had someone on the forums waste my time trying to get help compiling his "grsecurity" kernel that turned out to be a 2 year old Debian source of it.

Not an official Debian package, of course.

BTW, instead of making snide remarks, might your time be better served backporting some more missing security fixes to 3.2? ;)

My remark was intended more as a joke that it's very easy to satisfy people who want me (or rather us) not to work on something. Less funny when it has to be explained, I suppose. As for backporting security fixes, I try, but surely you consider me incompetent to do so?

Tightening security: Time to prioritize it!!

Posted Jul 13, 2012 2:45 UTC (Fri) by spender (subscriber, #23067) [Link]

In that case, sorry -- I shouldn't have assumed. FWIW you do a good job backporting with much attention to detail. My comments were more about merging of security features as opposed to fixes for a particular bug. Features generally require ongoing maintenance and re-evaluation.

-Brad

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 7:46 UTC (Tue) by reddit (guest, #86331) [Link]

These guys should work on pushing their changes into the mainline kernel.

Which means doing them properly in such a way that they don't impact performance, functionality or compatibility.

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 10:55 UTC (Tue) by dark (guest, #8483) [Link]

Well, that definition of 'properly' puts security in fourth place. It makes it an afterthought. Something that's nice to have as long as it doesn't impact the important stuff. I don't think it's likely that people who put security in first place are going to do their work that way.

Tightening security: Time to prioritize it!!

Posted Aug 21, 2012 19:34 UTC (Tue) by dlang (subscriber, #313) [Link]

for people who put security first, ahead of everything else, there is really only one solution

http://www.ranum.com/security/computer_security/papers/a1...


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds