Re: [Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Kees Cook <keescook@chromium.org>
Cc: Josh Boyer <jwboyer@fedoraproject.org>,
	Jason Cooper <jason@lakedaemon.net>,
	ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security
Date: Tue, 14 Jul 2015 08:47:21 +0100	[thread overview]
Message-ID: <1436860041.6901.42.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAGXu5jJdmwdKw6CYwMNUCDKai0M5UrghYn1c3tTwqudLwdbO0A@mail.gmail.com>

On Mon, 2015-07-13 at 16:25 -0700, Kees Cook wrote:
> On Sat, Jul 11, 2015 at 12:31 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Fri, 2015-07-10 at 15:08 -0700, Kees Cook wrote:
> >>   - personal security (keep commit credentials secure from theft)
> >
> > This second one is a bit of a red herring:  Assuming you did steal my
> > credentials, how would you use them without being detected?
> 
> Well, I meant it in a general sense. Whether that's your ssh key, or
> direct access to your entire network through backdoored network card
> firmware and SMM code, there are TONS of way to be owned without being
> detected. :)

Right, so there's no point having a huge lock on your front door if you
know there's a weak catch on the back one.

> > Security is not an absolute, it's a tradeoff.  The point of the tradeoff
> > is to make sure you address the significant threats while not impeding
> > the workflow too much.  If we start worrying about and addressing
> > insignificant threats, eventually you won't get on to kernel.org without
> > going through airport theatre style security.
> 
> We have one thing that a lot of other workflows don't: transparency,
> so we can examine commit histories, etc. This makes credential theft
> much less useful (which I think was your point).

No, that was part of my point: detection of forged commits via stolen
ssh credentials without compromising the laptop are easily detectable.

The other part is that security is a chain: it's only as strong as its
weakest link.  One consideration in making a chain is that you try to
have all the links be of roughly equal strength.  In security terms you
do this because security is a tradeoff: there's no point having onerous
security on one link if another is weak because people just bitch about
the pointless problems this causes.  That's precisely why security is a
tradeoff: you assess the threats and counter what you can in a way that
makes the least impact to usability.  What you should never do (unless
you're a government) is make an elaborate show of security to give a
false impression because clever people notice and real security suffers.

> >> - reactive security: bug fix workflow
> >>   - getting fixes _to end users_ (not the same as publishing to stable)
> >
> > Stable is our last point.  After that, it's up to the distros
> 
> I don't agree with this. Distros are just one consumer. I think it's
> worth examining how real-world devices end up running Linux. Telcos
> pushing kernel updates, for example, jumps to mind. I think it's a
> weak stance to say "well, they should update to the latest kernel". Is
> it a failing of our community that it's so much work for these vendors
> to update kernels? Is offering an LTS "good enough", or can we do
> more? It's Linux's name that gets smeared by vendors who are terrible
> at updating kernels. :(

While security fixes (and the kernel security list) aren't transparent,
I don't really see what else we can do.  Stable is our last best effort
before it gets handed off, unless you have another proposal?

> >>   - documenting impact when known (avoiding intentional obfuscation)
> >> - proactive security: stop security flaws from happening in the first place
> >>   - scope analysis (defending both userspace and kernel from attack)
> >>   - threat analysis (how are attacks being made now and in future?)
> >>   - exposure analysis (syscall interface, device firmware, etc)
> >>   - static checkers (find and eliminate bug classes in the code)
> >>   - run-time mitigation features (endless list: memory protection, CFI,
> >>     ASLR, anti-bruteforcing, etc)
> >
> > Perhaps the question here is would we be interested in making use of the
> > core infrastructure initiative to give us a security analysis of parts
> > of the kernel (and if so, which parts).
> 
> I actually think the issue is body count. We have a lot of tools
> already. We have coverity, for example, but it needs full-time work
> (by a few people, I think) to trim false-positives, improve rules, and
> extract the real bugs. Which companies are paying people to do this
> full-time? Our numbers aren't improving much in this area. We've
> actually been getting smaller... Dave Jones, come back, we all still
> love Trinity! :)

So you seem to be implying this is a funding problem?  We could easily
apply to the CII for a full time position if that's the case (and we
have a good job description).

James

next prev parent reply	other threads:[~2015-07-14  7:47 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-10 14:38 [Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security Jason Cooper
2015-07-10 15:50 ` Josh Boyer
2015-07-10 16:23   ` Theodore Ts'o
2015-07-10 19:45     ` Steven Rostedt
2015-07-10 20:34       ` Olof Johansson
2015-07-11  1:19         ` Jason Cooper
2015-07-10 22:08     ` Kees Cook
2015-07-11  1:48       ` Jason Cooper
2015-07-11  7:31       ` James Bottomley
2015-07-11 16:02         ` Jason Cooper
2015-07-11 16:38           ` Theodore Ts'o
2015-07-13 23:15             ` Kees Cook
2015-07-13  8:32         ` Jiri Kosina
2015-07-13 14:07           ` Konstantin Ryabitsev
2015-07-13 15:39             ` James Bottomley
2015-07-13 16:02               ` Mark Brown
2015-07-13 16:05               ` Konstantin Ryabitsev
2015-07-13 16:14                 ` James Bottomley
2015-07-13 18:22                   ` Theodore Ts'o
2015-07-13 16:46                 ` Geert Uytterhoeven
2015-07-13 17:12                   ` josh
2015-07-13 19:37                 ` Jiri Kosina
2015-07-15 18:42           ` Steven Rostedt
2015-07-13 23:25         ` Kees Cook
2015-07-14  7:47           ` James Bottomley [this message]
2015-07-14 16:20             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1436860041.6901.42.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=jason@lakedaemon.net \
    --cc=jwboyer@fedoraproject.org \
    --cc=keescook@chromium.org \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.