|
|
Subscribe / Log in / New account

A new Mindcraft moment?

A new Mindcraft moment?

Posted Nov 7, 2015 5:49 UTC (Sat) by kunitz (subscriber, #3965)
Parent article: A new Mindcraft moment?

I believe I'm qualified to comment here. I have worked some years on kernel code for the zd1211rw WLAN driver and my day job is working on security in a multinational financial institution.

While we are spending millions at a multitude of security problems, kernel issues are not on our top-priority list. Honestly I remember only once having discussing a kernel vulnerability. The result of the analysis has been that all our systems were running kernels that were older as the kernel that had the vulnerability.

But "patch management" is a real issue for us. Software must continue to work if we install security patches or update to new releases because of the end-of-life policy of a vendor. The revenue of the company is depending on the IT systems running. So "not breaking user space" is a security feature for us, because a breakage of one component of our several ten thousands of Linux systems will stop the roll-out of the security update.

Another problem is embedded software or firmware. These days almost all hardware systems include an operating system, often some Linux version, providing a fill network stack embedded to support remote management. Regularly those systems don't survive our obligatory security scan, because vendors still didn't update the embedded openssl.

The real challenge is to provide a software stack that can be operated in the hostile environment of the Internet maintaining full system integrity for ten years or even longer without any customer maintenance. The current state of software engineering will require support for an automated update process, but vendors must understand that their business model must be able to finance the resources providing the updates.

Overall I'm optimistic, networked software is not the first technology used by mankind causing problems that were addressed later. Steam engine use could result in boiler explosions but the "engineers" were able to reduce this risk significantly over a few decades.

(Log in to post comments)

A new Mindcraft moment?

Posted Nov 7, 2015 10:29 UTC (Sat) by ms (subscriber, #41272) [Link]

I think this emphasises some of the points in Jon's original article, namely: what is money spent on, and why? Essentially, you're saying that the bottom line of your employer is driven mainly by the reliability of the system, and to a much lesser extent the security, particularly where security impacts reliability.

The following is all guess work; I'd be keen to know if others have evidence either one way or another on this: The people who learn how to hack into these systems through kernel vulnerabilities know that they skills they've learnt have a market. Thus they don't tend to hack in order to wreak havoc - indeed on the whole where data has been stolen in order to release and embarrass people, it _seems_ as though those hacks are through much simpler vectors. I.e. lesser skilled hackers find there is a whole load of low-hanging fruit which they can get at. They're not being paid ahead of time for the data, so they turn to extortion instead. They don't cover their tracks, and they can often be found and charged with criminal offences.

So if your security meets a certain basic level of proficiency and/or your company isn't doing anything that puts it near the top of "companies we'd like to embarrass" (I suspect the latter is much more effective at keeping systems "safe" than the former), then the hackers that get into your system are likely to be skilled, paid, and probably not going to do much damage - they're stealing data for a competitor / state. So that doesn't bother your bottom line - at least not in a way which your shareholders will be aware of. So why fund security?

A new Mindcraft moment?

Posted Nov 7, 2015 17:02 UTC (Sat) by citypw (guest, #82661) [Link]

Many of my customers has the "breach" experiences and they do agree with that kernel is still a big issue inside the enterprise data centres. In the most common case of an attacking path in the wild-cyber-world may look like: Attacker try to find some vulns from web system( router's mgt UI or a regular website) --> exploit it to get the web shell --> privilege escalation of the linux kernel --> root( pwned). In the real world, more than 60% attacks from inside. Hardened kernel may be your last defensive line. See, kernel( and other core infrastructure including compiler( DDC issues), firmware) is still the matter that you should concern.

On the other hand, some effective mitigation in kernel level would be very helpful to crush cybercriminal/skiddie's try. If one of your customer running a future trading platform exposes some open API to their clients, and if the server has some memory corruption bugs can be exploited remotely. Then you know there are known attack methods( such as offset2lib) can help the attacker make the weaponized exploit so much easier. Will you explain the failosophy "A bug is bug" to your customer and tell them it'd be ok? Btw, offset2lib is useless to PaX/Grsecurity's ASLR imp.

To the most commercial uses, more security mitigation within the software won't cost you more budget. You'll still have to do the regression test for each upgrade.

A new Mindcraft moment?

Posted Nov 12, 2015 16:14 UTC (Thu) by andreashappe (subscriber, #4810) [Link]

I'm doing pen-tests and while it is nice if I get root-level access data-theft on databases is more "costly" for the companies. Getting access with web-server/database credentials gains lots of interesting attack vectors (be it client-side attacks or data-extraction) -- the linux kernel is not involved with any of them.

Keep in mind that I specialize in external web-based penetration-tests and that in-house tests (local LAN) will likely yield different results.


Copyright © 2022, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds