[Ksummit-2013-discuss] Topic Proposal: Handling Security Issues in the kernel

Wed Aug 14 14:16:46 UTC 2013

On Tue, Aug 13, 2013 at 10:39:13AM -0700, Greg Kroah-Hartman wrote:
 > On Tue, Aug 13, 2013 at 09:37:29AM -0700, Andy Lutomirski wrote:
 > > > What's missing is an upstream accounting of commit ID that introduces
 > > > a problem along with commit IDs that fix it. This can be cobbled
 > > > together by the Mitre reports, but usually requires knowledge of the
 > > > kernel area itself and some historical perspective. As yet, no one has
 > > > stepped up to do this for the upstream kernels. (Distros do this on
 > > > their own, generally.)
 > > 
 > > This is actually causing another sort of problem: some security people
 > > are annoyed [1], and that's hindering reporting of new issues.  (I'm
 > > not going to comment on whether this is the right response by the
 > > researchers, but it's certainly a problem for me right now.)
 > 
 > Brad has been "annoyed" for years, don't take it personally, I don't
 > think there's much anyone can do, as we have tried to work with him, and
 > others, for a long time without much success.

Personality issues aside, some people (notably Kees, and myself to some extent)
have had useful interactions with him, and in many cases he has highlighted
problems that we've had for a long time that no-one else has fallen upon.

How many times has it taken him writing an exploit to get traction on an issue?

Instead of writing him off as "someone we can't work with", he should be a
wake-up call that we're really sucking at certain parts of our process.

.. and for those that do consider him a dick to work with, ponder this:
Which is better: him being a dick and highlighting an exploit, or having
an issue that's been known about in bug databases like coverity[*] for two years
under the eyesight of people who have never contributed a single patch to
the kernel, who have a vested interest in exploits remaining unfound ?

It's disturbing to me that there are almost as many addresses from people like
Lockheed Martin, Raytheon Missile, various govt agencies from various countries
with access to the coverity db as there are people who actually have contributed
something to the kernel in the past. (The mix is even more skewed when you
factor in other non-contrib companies like anti-virus vendors).

There's a whole industry of buying/selling vulnerabilities, and our response
is basically "oh well, we'll figure it out when an exploit goes public".

	Dave

[*] and yes, Coverity isn't the be-all-end-all of how we should find bugs,
    and there are false positives, but it has found very real problems, and
    the only way we get to those is by filtering through all the chaff.