Security
The TCP "challenge ACK" side channel
Side-channel attacks against various kinds of protocols (typically networking or cryptographic) are both dangerous and often hard for developers and reviewers to spot. They are generally passive attacks, which makes them hard to detect as well. A recent paper [PDF] describes in detail one such attack against the kernel's TCP networking stack; the bug (CVE-2016-5696) has existed since Linux 3.6, which was released in 2012. Ironically, the bug was introduced because Linux has implemented a countermeasure against another type of attack.
There are a number of pieces of information that an attacker needs to interfere with a TCP connection between two hosts. To start with, the so-called four-tuple, which consists of the source IP address, source port number, destination IP address, and destination port number, is needed. Several of those values can be guessed or inferred (e.g. destination IP and port), but there is another piece of information needed to actually interfere with a connection.
TCP has 32-bit sequence numbers that are used to order the packets in the connection stream. They are also an important part of the packets used to establish and break down connections. A packet that could interfere with a connection must have a sequence number that is within the receive window of the target. That window effectively determines the range of sequence numbers that are acceptable.
Once upon a time, in a far more trusting era, sequence numbers were fairly easily predicted, but those days are long gone. These days, sequence numbers are randomized to thwart various kinds of packet-injection and connection-spoofing attacks. An eavesdropper can still observe the sequence numbers in a conversation, but an "off-path" attacker must guess. By randomizing the initial sequence number (ISN) used by a connection, network stacks make guessing difficult enough to stop most off-path attacks.
But if a way can be found to more quickly narrow in on the sequence numbers used in a connection, off-path attackers can be more efficient in their probing—to the point where they can inject packets into an established connection. That is effectively what the researchers found.
But first, there is another obstacle to overcome: according to the paper, off-path attacks have generally been limited by the need to get unprivileged malware running on one of the endpoints to determine whether two hosts are actually communicating. But the researchers found a way to quickly determine whether two hosts are communicating and what port numbers they are using, without any assistance from malware.
Linux is the only operating system vulnerable to this attack because it is the only one that has faithfully implemented RFC 5961, which was proposed to avoid a different kind of packet injection attack. It uses "challenge ACKs" to avoid resetting a connection when a spoofed connection request (SYN) or connection termination (RST) packet with a sequence number within the receive window is received. The challenge ACK will allow long-lived connections to be more resistant to these spoofed packets that are meant to close the connection.
The challenge ACKs require that the original sender reply with the exact sequence number expected for the next packet, not just one within the receive window, which is more difficult for an off-path attacker to arrange. But challenge ACKs also consume resources, so the RFC recommends that a limit be imposed on the number of challenge ACKs sent over a given time frame (Linux used 100/second by default). Since challenge ACKs were expected to be rare occurrences, the counter for rate-limiting them was global for all TCP connections on the system—and the RFC specifically directed that regular ACKs should not be counted. Because of this, challenge ACKs provide a side channel:
Through extensive experimentation, we demonstrate that the attack is extremely effective and reliable. Given any two arbitrary hosts, it takes only 10 seconds to successfully infer whether they are communicating. If there is a connection, subsequently, it takes also only tens of seconds to infer the TCP sequence numbers used on the connection.
The general outlines of an attack are as follows. The attacker establishes an ordinary connection to the server, then sends a stream of bogus RST and SYN packets to force the target to generate the maximum number of challenge ACKs. Some spoofed packets "from" the client of interest are also sent. If all of the expected 100 challenge ACKs are received on the regular connection, then the four-tuple in the spoofed packet does not represent an active connection, but if some are missing, they must have been sent as challenge ACKs in response to spoofed packets, indicating that a connection exists.
Once that is established, in-window sequence numbers need to be determined—challenge ACKs can help there too. Once again, challenge ACKs are provoked using a normal connection and the number received are counted. Spoofed RST packets with a guessed sequence number are also sent; the number of challenge ACKs received on the regular connection allow the attacker to infer whether the sequence number is within the window or not. Further probing with spoofed ACKs can narrow things down to the exact sequence number expected for the next packet.
Two kinds of attacks are described in the paper. The easiest is to simply reset an in-progress connection. The other hijacks the connection to inject content of the attacker's choosing. The paper describes the former being reliably deployed against SSH and Tor connections, while it mentions the latter being targeted at long-lived connections for data like video streams, advertisements, or news sites.
There are some more wrinkles to the attack, of course, including synchronizing with the host's clock so that the one-second boundary can be reliably determined. That, too, uses challenge ACKs. Other hurdles are also discussed in the paper. But the attack can have far-reaching effects as the team's short YouTube video demonstrates. It injects some JavaScript into a web session to display attacker-controlled content.
The research was also highlighted in an article in a University of California, Riverside (UCR) publication as most of the researchers are students or faculty there. Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao and Srikanth V. Krishnamurthy of UCR were joined by Lisa M. Marvel from the United States Army Research Laboratory in writing the paper, which was presented at the USENIX Security Symposium on August 10.
It is an interesting and clever attack that sadly only lacks a catchy name, colorful logo, and hype-filled web site. Cao did alert kernel developers to the problem, which was fixed in the mainline in July (and appears in the 4.7 kernel). The fix raises the limit to 1000 challenge ACKs per second, but also adds some randomization to the value so that counting will be less effective. In addition, the patch notes per-socket rate-limiting is available, which could lead to the removal of the global challenge ACK count down the road; some work toward that end has been merged as well.
The fix has not made it to the stable kernels yet, but there is a mitigation available in the form of the tcp_challenge_ack_limit sysctl knob. Setting that value to something enormous (e.g. 999999999) will make it much harder for attackers to exploit the flaw.
Spoofing source IP addresses is not technically difficult, though it may be hard to get the packet through routers and the like in some cases. A Center for Applied Internet Data Analysis study shows that nearly half of the autonomous systems on the internet are at least partly spoofable, though. There are, as yet, no reports of attacks using this technique in the wild, though one would guess it won't be long before we do see some.
In the end, challenge ACKs seem a reasonable solution to a real problem, but Linux played the role of a guinea pig here. There are upsides to doing that, such as providing a platform where the researchers could discover the problems in the RFC. There are downsides, as well; Linux is currently getting some bad press about its networking implementation, for example. On the whole, though, these problems needed to be found—and now they are.
Brief items
Security quotes of the week
"The producers of operating systems should be encouraged, or regulated, for example, to block downloads of copyright infringing material," the report adds.
Breaking through censorship barriers, even when Tor is blocked (Tor Blog)
The Tor Blog looks at using Pluggable Transports to avoid country-level Tor blocking. There are some new easy-to-follow graphical directions for using the transports. "Many repressive governments and authorities benefit from blocking their users from having free and open access to the internet. They can simply get the list of Tor relays and block them. This bars millions of people from access to free information, often including those who need it most. We at Tor care about freedom of access to information and strongly oppose censorship. This is why we've developed methods to connect to the network and bypass censorship. These methods are called Pluggable Transports (PTs). Pluggable Transports are a type of bridge to the Tor network. They take advantage of various transports and make encrypted traffic to Tor look like not-interesting or garbage traffic. Unlike normal relays, bridge information is kept secret and distributed between users via BridgeDB."
Study Highlights Serious Security Threat to Many Internet Users (UCR Today)
UCR Today reports that researchers at the University of California, Riverside have identified a weakness in the Transmission Control Protocol (TCP) in Linux that enables attackers to hijack users’ internet communications remotely. "The UCR researchers didn’t rely on chance, though. Instead, they identified a subtle flaw (in the form of ‘side channels’) in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties. This means that given any two arbitrary machines on the internet, a remote blind attacker, without being able to eavesdrop on the communication, can track users’ online activity, terminate connections with others and inject false material into their communications."
Check Point's "QuadRooter" vulnerabilities
Check Point has discovered four local-root vulnerabilities in Qualcomm-based Android devices and is hyping the result as "QuadRooter". "QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device." Actually getting the report requires registration. All four vulnerabilities are in Android-specific code; three of them are in out-of-tree modules (kgsl and ipc_router); the fourth is in the "ashmem" code in the staging tree.
New vulnerabilities
bsdiff: denial of service
| Package(s): | bsdiff | CVE #(s): | CVE-2014-9862 | ||||||||||||
| Created: | August 8, 2016 | Updated: | November 3, 2016 | ||||||||||||
| Description: | From the CVE entry:
Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | Chromium | CVE #(s): | CVE-2016-5139 CVE-2016-5140 CVE-2016-5141 CVE-2016-5142 CVE-2016-5143 CVE-2016-5144 CVE-2016-5145 CVE-2016-5146 | ||||||||||||||||||||||||||||||||||||
| Created: | August 8, 2016 | Updated: | August 18, 2016 | ||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
Chromium was updated to 52.0.2743.116 to fix the following security issues: (boo#992305)
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Firefox: denial of service
| Package(s): | firefox, nss, thunderbird | CVE #(s): | CVE-2016-2839 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 5, 2016 | Updated: | September 7, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory: Cairo rendering crash due to memory allocation issue with FFmpeg 0.10. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2016-2835 CVE-2016-5250 CVE-2016-5251 CVE-2016-5255 CVE-2016-5260 CVE-2016-5261 CVE-2016-5266 CVE-2016-5268 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 5, 2016 | Updated: | October 28, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory: CVE-2016-2835 - Mozilla developers and community members reported several memory safety bugs in the browser engine used in firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. CVE-2016-5250 - Information disclosure through Resource Timing API during page navigation. CVE-2016-5251 - Location bar spoofing via data URLs with malformed/invalid mediatypes. CVE-2016-5255 - Crash in incremental garbage collection in JavaScript. CVE-2016-5260 - Form input type change from password to text can store plain text password in session restore file. CVE-2016-5261 - Integer overflow in WebSockets during data buffering. CVE-2016-5266 - Information disclosure and local file manipulation through drag and drop. CVE-2016-5268 - Spoofing attack through text injection into internal error pages. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flex: buffer overflow
| Package(s): | flex | CVE #(s): | CVE-2016-6354 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 9, 2016 | Updated: | February 2, 2017 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that flex incorrectly resized the num_to_read variable in yy_get_next_buffer. The buffer is resized if this value is less or equal to zero. With special crafted input it is possible, that the buffer is not resized if the input is larger than the default buffer size of 16k. This allows a heap buffer overflow. It may be possible to exploit this remotely, depending on the application that is built using flex. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
fontconfig: privilege escalation
| Package(s): | fontconfig | CVE #(s): | CVE-2016-5384 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 9, 2016 | Updated: | December 15, 2016 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
glibc: denial of service
| Package(s): | glibc | CVE #(s): | CVE-2016-5417 | ||||||||
| Created: | August 8, 2016 | Updated: | August 10, 2016 | ||||||||
| Description: | From the Arch Linux advisory:
The sockaddr_in6 allocated in resolv/res_init.c:317 is not freed, leaking 28 bytes per thread using the resolver (according to valgrind). The leak is triggered if name resolution functions are called in such a way that internal resolver data structures are only initialized partially. This issue may ultimately lead to denial of service by leaking extensive amounts of memory. | ||||||||||
| Alerts: |
| ||||||||||
hawk2: clickjacking prevention
| Package(s): | hawk2 | CVE #(s): | |||||||||
| Created: | August 4, 2016 | Updated: | August 12, 2016 | ||||||||
| Description: | From the SUSE advisory:
To prevent Clickjacking attacks, set Content-Security-Policy to frame-ancestors 'self' (bsc#984619) | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2015-8019 | ||||
| Created: | August 5, 2016 | Updated: | August 10, 2016 | ||||
| Description: | From the SUSE advisory: The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c in the Linux kernel did not accept a length argument, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write system call followed by a recvmsg system call. | ||||||
| Alerts: |
| ||||||
kernel: two vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2016-6136 CVE-2016-5400 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 9, 2016 | Updated: | August 10, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability. (CVE-2016-6136) Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumption) via a crafted USB device that emulates many VFL_TYPE_SDR or VFL_TYPE_SUBDEV devices and performs many connect and disconnect operations. (CVE-2016-5400) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libreoffice: code execution
| Package(s): | libreoffice | CVE #(s): | CVE-2016-1513 | ||||||||
| Created: | August 5, 2016 | Updated: | August 10, 2016 | ||||||||
| Description: | From the Ubuntu advisory: Yves Younan and Richard Johnson discovered that LibreOffice incorrectly handled presentation files. If a user were tricked into opening a specially crafted presentation file, a remote attacker could cause LibreOffice to crash, and possibly execute arbitrary code. | ||||||||||
| Alerts: |
| ||||||||||
minimatch: denial of service
| Package(s): | nodejs010-nodejs-minimatch | CVE #(s): | CVE-2016-1000023 | ||||||||||||
| Created: | August 9, 2016 | Updated: | August 12, 2016 | ||||||||||||
| Description: | From the Red Hat advisory:
A regular expression denial of service flaw was found in Minimatch. An attacker able to make an application using Minimatch to perform matching using a specially crafted glob pattern could cause the application to consume an excessive amount of CPU. (CVE-2016-1000023) | ||||||||||||||
| Alerts: |
| ||||||||||||||
mongodb: two vulnerabilities
| Package(s): | mongodb | CVE #(s): | CVE-2016-6494 | ||||||||||||||||
| Created: | August 8, 2016 | Updated: | October 7, 2016 | ||||||||||||||||
| Description: | From the Debian LTS advisory:
CVE-2016-6494: World-readable .dbshell history file TEMP-0833087-C5410D: Bruteforcable challenge responses in unprotected logfile | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mupdf: denial of service
| Package(s): | mupdf | CVE #(s): | CVE-2016-6525 | ||||||||||||||||||||
| Created: | August 8, 2016 | Updated: | August 31, 2016 | ||||||||||||||||||||
| Description: | From the Debian LTS advisory:
A flaw was discovered in the pdf_load_mesh_params() function allowing out-of-bounds write access to memory locations. With carefully crafted input, that could trigger a heap overflow, resulting in application crash or possibly having other unspecified impact. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
nodejs-tough-cookie: denial of service
| Package(s): | nodejs-tough-cookie | CVE #(s): | |||||||||
| Created: | August 9, 2016 | Updated: | October 3, 2016 | ||||||||
| Description: | From the Node security advisory:
Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time. | ||||||||||
| Alerts: |
| ||||||||||
openntpd/busybox: denial of service
| Package(s): | openntpd busybox | CVE #(s): | CVE-2016-6301 | ||||||||
| Created: | August 9, 2016 | Updated: | January 2, 2017 | ||||||||
| Description: | From the Mageia advisory:
The busybox NTP implementation doesn't check the NTP mode of packets received on the server port and responds to any packet with the right size. This includes responses from another NTP server. An attacker can send a packet with a spoofed source address in order to create an infinite loop of responses between two busybox NTP servers. Adding more packets to the loop increases the traffic between the servers until one of them has a fully loaded CPU and/or network. | ||||||||||
| Alerts: |
| ||||||||||
openssh: denial of service
| Package(s): | openssh | CVE #(s): | CVE-2016-6515 | ||||||||||||||||||||
| Created: | August 10, 2016 | Updated: | August 15, 2016 | ||||||||||||||||||||
| Description: | From the CVE entry:
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
pbuilder: file overwrite
| Package(s): | pbuilder | CVE #(s): | |||||||||
| Created: | August 4, 2016 | Updated: | August 10, 2016 | ||||||||
| Description: | Due to a problem with the "eatmydata" option for pbuilder, files that should not be overwritten can be. More information is available in the bugs.debian.org entry. | ||||||||||
| Alerts: |
| ||||||||||
pdns: denial of service
| Package(s): | pdns | CVE #(s): | CVE-2016-6172 | ||||||||||||||||||||
| Created: | August 9, 2016 | Updated: | September 12, 2016 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was found that PowerDNS does not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
python-autobahn: insecure origin validation
| Package(s): | python-autobahn | CVE #(s): | |||||
| Created: | August 5, 2016 | Updated: | August 10, 2016 | ||||
| Description: | From the Red Hat bug report: Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set. This can allow third parties to execute legitimate requests for WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within another browser's context. | ||||||
| Alerts: |
| ||||||
squid: code execution
| Package(s): | squid | CVE #(s): | CVE-2016-5408 | ||||||||||||||||
| Created: | August 4, 2016 | Updated: | August 10, 2016 | ||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the fix for CVE-2016-4051 released via RHSA-2016:1138 did not properly prevent the stack overflow in the munge_other_line() function. A remote attacker could send specially crafted data to the Squid proxy, which would exploit the cachemgr CGI utility, possibly triggering execution of arbitrary code. (CVE-2016-5408) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
stunnel: two vulnerabilities
| Package(s): | stunnel | CVE #(s): | |||||
| Created: | August 8, 2016 | Updated: | August 10, 2016 | ||||
| Description: | From the Slackware advisory:
patches/packages/stunnel-5.35-i586-1_slack14.2.txz: Upgraded. Fixes security issues: Fixed malfunctioning "verify = 4". Fixed incorrectly enforced client certificate requests. | ||||||
| Alerts: |
| ||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2016-6504 | ||||||||||||
| Created: | August 8, 2016 | Updated: | August 10, 2016 | ||||||||||||
| Description: | From the openSUSE bugzilla:
It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Affects 1.12.0 to 1.12.12, fixed in 1.12.13. | ||||||||||||||
| Alerts: |
| ||||||||||||||
wireshark: denial of service
| Package(s): | wireshark | CVE #(s): | CVE-2016-6512 CVE-2016-6513 | ||||||||
| Created: | August 9, 2016 | Updated: | August 10, 2016 | ||||||||
| Description: | From the Wireshark advisories:
wnpa-sec-2016-48: The MMSE, WAP, WBXML, and WSP dissectors could go into an infinite loop. Discovered by Antti Levomäki. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. (CVE-2016-6512) wnpa-sec-2016-49: The WBXML dissector could crash. Discovered by Antti Levomäki. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. (CVE-2016-6513) See the oss-security CVE assignment for further information. | ||||||||||
| Alerts: |
| ||||||||||
xen: denial of service
| Package(s): | xen | CVE #(s): | CVE-2016-6259 | ||||||||||||||||||||||||
| Created: | August 8, 2016 | Updated: | August 10, 2016 | ||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception delivery mechanism for 32bit PV guests wasn't whitelisted. A malicious 32-bit PV guest kernel can trigger a safety check, crashing the hypervisor and causing a denial of service to other VMs on the host. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>