67 min listen
2020-029- Brad Spengler, Linux kernel security in the past 10 years, software dev practices in Linux, WISP.org PSA
2020-029- Brad Spengler, Linux kernel security in the past 10 years, software dev practices in Linux, WISP.org PSA
ratings:
Length:
66 minutes
Released:
Jul 31, 2020
Format:
Podcast episode
Description
WISP.org PSA at 35m56s - 37m 19s Agenda:Bio/background Why are you here (topic discussion) What is the Linux Security Summit North America https://grsecurity.net/ Questions from the meeting invite: This only affects people who want to use a custom kernel, correct? This doesn’t affect you if you are running bog-standard linux (debian, gentoo, Ubuntu) right? What options do people have in cloud environments? Does the use of microservices make grsecurity less worthwhile? You mentioned ARM 64 processors in your first slide as making significant security functionality strides. With Apple and Microsoft going to ARM based processors, what are some things you feel need to be added to the kernel to shore up Linux for ARM, since some purists enjoy an Apple device with Linux on it? https://www.youtube.com/watch?v=F_Kza6fdkSU - Youtube Video https://grsecurity.net/10_years_of_linux_security.pdf -- pdf slides https://lwn.net/Articles/569635/ - Definition of KASLR LTS kernels moved from 2 years to 6 years - why? 6 years is pretty much “FOREVER” in software development. Patches get harder to backport, or worse; Could introduce new vulnerabilities Project Treble: https://www.computerworld.com/article/3306443/what-is-project-treble-android-upgrade-fix-explained.html LTSI: https://ltsi.linuxfoundation.org/ 4.4 XLTS is available until Feb2022 - If fixes and all bugs haven’t been backported (1,250 security fixes aren’t in the latest stable 4.4 kernel) What are the “safe” kernels? Has anything changed since the presentation you gave earlier in July 2020 Syzkaller Let’s discuss Slide 27 (what are those tems?) “Is it improving code quality, or Is it making people lazier and more reliant on a tool to check code?” Slide 29 audio, you mention that you use Syzkaller… why do you use it? Exploitation Trends Attackers still don’t care about whether a vulnerability has a CVE assigned or not Don’t many vulnerabilities require some work to get to the kernel? And why should they work to get to the kernel? https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/ 500K IF the kernel vuln affects major distros (Centos, Ubuntu) https://resources.whitesourcesoftware.com/blog-whitesource/top-10-linux-kernel-vulnerabilities Why does Zerodium payout for kernel vulns lower than application vulns? Would it be fair to say that getting root/persistence is all that matters and you don’t need to worry about the kernel to do so? Many of the new security features are protecting against bad programming practices? So by adding all these things, who are you securing systems against? Bad actors, or devs who employ poor coding measures? Why do you think we see lower adoption rates of security Problem solving: Halvar Flake: http://addxorrol.blogspot.com/2020/03/before-you-ship-security-mitigation.html If we have time… Threat models in a kernel Where do they go in the development lifecycle? If kernel dev is an open environment, what precipitates the need for a kernel mitigation threat model Is there an example somewhere that we can see? What is the format? Methodology? Do you think static code analysis of the kernel is worthwhile at all? Absolutely! We do a lot of it, including via the analysis resulting from compiling with LLVM, as well as via specific static analysis GCC plugins of our own. OK, what about the large amount of false positives the analyzers generate? Do you get around with your custom plugins? Also do you use the analyzers included with Clang and GCC v.10 or 3rd products? That's usually a property of the analysis itself -- some can have large false positive issues, others not. Ideally we try to limit that for the plugins we write (we just recently added one helpful for some kind of NULL ptr dereferences this week). My understanding is the public now also has access to the Coverity reports for the kernel? As far as GCC versions, yes we te
Released:
Jul 31, 2020
Format:
Podcast episode
Titles in the series (100)
2017-042-Jay beale, Hushcon, Apple 0Day, and BsidesWLG audio: Ms. Berlin and Mr. Boettcher are on holiday this week, and I (Bryan) went to Hushcon (www.hushcon.com) last week (8-9 Dec 2017). Lots of excellent discussion and talks. While there, our friend Jay Beale (@jaybeale) came on to discuss Hushcon, as well... by BrakeSec Education Podcast