User: Password:
|
|
Subscribe / Log in / New account

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 3:48 UTC (Mon) by clopez (subscriber, #66009)
In reply to: How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com) by bojan
Parent article: How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

I only can agree with you.

What strikes me is why Spender was unable yet to get a well-paid full-time job for hacking on grsecurity.

Isn't any of the big Linux distributions focused on the server market (RedHat/SUSE/Oracle/Ubuntu..) interested in shipping hardened kernels? Aren't their customers demanding this? Why?

Is just because they think that with the linux LSMs (SELinux/Apparmor/etc..) is enough?


(Log in to post comments)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 6:10 UTC (Mon) by px43 (guest, #89407) [Link]

I'm pretty sure spender doesn't work on grsec professionally for the same reason that Linus doesn't work on Linux professionally. If he had to declare loyalty to one company, it would create a conflict of interest. I'm sure any of those places would hire him in a heartbeat if he actually showed any interest. We really do need people like him though, not worrying about politics and doing the shit that needs to be done. Others like bliss and kees can do the rest and work on getting things upstreamed :-)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 6:26 UTC (Mon) by dlang (subscriber, #313) [Link]

> ..for the same reason that Linus doesn't work on Linux professionally.

Umm, Linus does work on Linux as his full-time paid job, he has for quite a few years.

He avoided working at any distro, but he is one of several people who are paid by the Linux Foundation to work on Linux full-time.

creating fixes that almost nobody runs isn't a very effective thing to be doing. if they produced 1/10 as many fixes, but those fixes got into the upstream kernel their effect on the world would be much larger.

The problem is that they want to just say "security says we need to do this" and have whatever they have provided accepted.

the kernel people want to understand what the problem is, look at the impact of doing things, and try to find a solution that both solves the problem and doesn't hurt performance. That's not what Spender and Paxteam want, they seem to want people to accept and run whatever they provide.

There are other developers who work this way, and a few of them do have an impact (Theo, djb, and Jörg Schilling are three examples), but they end up fading from relevance over time as other people who work better with others are more effective.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 7:32 UTC (Mon) by imitev (guest, #60045) [Link]

> the kernel people want to understand what the problem is, look at the impact of doing things, and try to find a solution that both solves the problem and doesn't hurt performance.

My feeling with kernel security is that performance and compatibility with broken stuff gets the priority over security. LWN's fine editors have been outlining the lack of focus on security - albeit with diplomacy and subtlety - for quite some time, so it's not just me.

grsecurity is GPL, so the personality of developers isn't relevant: whatever they think of Spender's behavior, any of the kernel people you mention could rip and push gresecurity solutions/concepts upstream. But this doesn't happen. So 1/ either kernel people who have enough "power" to push for such changes are not interested in security, or 2/ they won't look at spender's work just because they don't like him, or 3/ grsecurity features are useless. Kernel devs are not in kindergarten and if we assume that security-conscious companies who use grsecurity know what they are doing, that leaves us with 1/

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 7:56 UTC (Mon) by dlang (subscriber, #313) [Link]

Well, he would have to make a case that he needed to be paid by them.

And as part of the application, he would need to show that he can work with the community, which would be a fairly hard thing to do given his current attitude

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 8:06 UTC (Mon) by dlang (subscriber, #313) [Link]

or 4, they respond when someone points out a problem and work to close that problem, but are not willing to sacrifice performance based on theoretical problems that they see no possible way to exploit.

They are also far too busy reviewing and accepting code where the author wants it to be part of the kernel to go hunting around for code that may exist, may or may not have bugs, may or may not apply to the core kernel without problems, and may or may not even be legally released.

one of the side effects of the SCO fiasco is that they require that people attest that they have the right to contribute the code that they submit. Just saying 'someone slapped a GPL tag on it' isn't going to be good enough

The kernel developers have removed code that they had the legal right to include in the kernel because the author of the code wanted them to. They aren't about to go hunting for code who's author may oppose what they do with it.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 10:20 UTC (Mon) by imitev (guest, #60045) [Link]

> or 4, they respond when someone points out a problem and work to close that problem, but are not willing to sacrifice performance based on theoretical problems that they see no possible way to exploit

Well the *class* of exploits that grsecurity prevents looks rather practical to me (and if it was only theoretical why would security companies even bother using it?), so we'll have to agree to disagree.

> The kernel developers have removed code that they had the legal right to include in the kernel because the author of the code wanted them to.

Code != concepts. So OK, the problem is then with patents.
Let's have a look at virtualization: one would think that it's a patent minefield compared to security, but we continue to enjoy a steady rate of improvements and new features in that area. Maybe it's just that it's more fun and interesting to develop than security. Or not: companies make money selling virtualization products, or save money buying them to optimize their computing resources. Meanwhile, security is not only costly, with no immediate benefits, but it also prevents your employees from getting the work done in a quick&dirty way, it makes users yell at sysadmins, and a few other dozen complaints. You just realize how nice it would have been when your systems are compromised. And on the other side, if you invested in it, you might not see any effect since you effectively decreased the chance somebody would manage to hack you. I'm wandering too far, but the point is that security is a difficult sell, I don't think it has anything to do with legal stuff. People are just not interested.

> Well, he would have to make a case that he needed to be paid by them

I don't understand how your comment relates to what I've written.
There seems to be an assumption that Spender needs money and should be paid to push features upstream; I hope for him he's already well paid between sponsoring, consulting, and (maybe) selling exploits. I anticipate you'll ask why he's then bothering trying to advertise his superior features, maybe he's just trying to prove a point and have some recognition for the work he's doing - very human, after all. Granted, with a complete lack of diplomacy.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 7:15 UTC (Mon) by anselm (subscriber, #2796) [Link]

I'm pretty sure spender doesn't work on grsec professionally for the same reason that Linus doesn't work on Linux professionally. If he had to declare loyalty to one company, it would create a conflict of interest.

If that were the case, the obvious move would be for the Linux Foundation to pay him a stipend just like they're paying Linus.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 6:18 UTC (Mon) by treed (guest, #11432) [Link]

Sounds like sour grapes to me. The grsecurity guys are pretty bummed that SELinux is getting all of the love.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 13:41 UTC (Mon) by dpquigl (guest, #52852) [Link]

Spender repeatedly spouts the false dichotomy that its either GRSecurity or SELinux. Lets clear something up right now. SELinux is an access control model. GRSecurity is a set of security enhancements to a bunch of places in the kernel including kernel memory protections using PaX. GRSecurity also includes their own access control model in the form of RBAC (Rule Based Access Control) where they have their own learning mode. The parts that you should compare SELinux and GRSecurity to are SELinux and GRSecurity RBAC. We in the SELinux community do not claim to do any sort of kernel level exploit mitigation and we never have. The best we could ever do is make policies that restrict avenues of attack for kernel exploits but we do not do anything to mitigate damage at a kernel level. As spender has pointed out the default policies for Fedora are very permissive because they have traded off some usability for strict security. We have people who use much stricter policies which restrict far more but those are in applications where the need for security far exceeds the need for usability. Those deployments are where the machine in question is acting mostly as an appliance which will never be interacted with directly.

All that being said Spender and PaXTeam do tons of great work. I would love to see a lot of their code merged into mainline but the likelyhood of that happening isn't very good. If you use a Hardened Gentoo kernel you'll actually get a kernel with PaX protections with some GRSecurity features and SELinux enabled which I think is an awesome thing. As Spender showcased above he does not play politics or suffer fools. What he doesn't seem to care about is that most of the kernel inclusion process is politics. We've seen it before with competing implementations of features where the person in the "in crowd" got their implementation chosen over someone who had been working on the problem for a very long time with a large user base. That coupled with a hostile attitude from upstream about security (Linus has repeatedly called security people crazy, Spender and SELinux people included) makes it hard to dedicate time to working on getting things upstreamed.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 13:57 UTC (Mon) by dpquigl (guest, #52852) [Link]

Correction its RSBAC not RBAC.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 14:01 UTC (Mon) by spender (subscriber, #23067) [Link]

RSBAC is a completely separate project ;)

http://www.rsbac.org

-Brad

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 14:03 UTC (Mon) by dpquigl (guest, #52852) [Link]

I stand corrected. I thought it was part of your work with GRSecurity. Its good to see that its separated out so that if someone wanted to use it they could. However If I was going to roll my own kernel with RSBAC in it I'd just use the GRSecurity patches and get all the extra goodies that go along with it.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 15:21 UTC (Mon) by spender (subscriber, #23067) [Link]

I think you may be confused still ;) Grsecurity has its own RBAC system (I haven't given it a fancy name) which is included in the grsecurity patch. RSBAC is a totally different project, different authors, etc. It's not related to grsecurity in any way.

-Brad

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 15:45 UTC (Mon) by dpquigl (guest, #52852) [Link]

You're right I was confused. I was looking through the PaX slides you referenced above and it had GRSecurity and RSBAC right next to each other so I associated them together. So yes the correct comparison would be SELinux against your RBAC mechanism.

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Posted Feb 18, 2013 13:50 UTC (Mon) by dpquigl (guest, #52852) [Link]

You may find some people that think LSMs are enough but everyone I've spoken to (LSM authors) realize that the LSMs are really only access control models and that other parts of the kernel need to be hardened as well. That being said as someone who worked on SELinux it wasn't my job to harden the kernel. My job was to do research and we used SELinux as a platform. If it got merged upstream all the better. If it was something that someone like Red Hat wanted then I had more help in getting stuff upstream. Spenders main issue is with a community that seems indifferent at best and openly hostile at worse to handling security related issues. Its also that some of his features would not be as palatable with the subsystem maintainers that they would interact with.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds