Last week, Google project zero criticized Ubuntu and Debian developers for not merging kernel security fixes fast enough and leaving users exposed in the meantime. The kernel community clarified yesterday on how it is making attempts to reduce and control the bugs in the Linux ecosystem by testing and kernel hardening.
They acknowledge that there is not a lot the kernel community can do to eliminate bugs as bugs are part and parcel of software development. But they are focusing on testing to find them. Now there is a security team in the kernel community made up of kernel developers who are well versed with kernel core concepts. Linux Kernel developer Kroah Hartman said: “A bug is a bug. We don’t know if a bug is a security bug or not. There is a famous bug that I fixed and then three years later Red Hat realized it was a security hole”.
In addition to fixing bugs, the kernel community will contribute to hardening to the kernel. Kernel hardening enables additional kernel-level security mechanisms to improve the security of the system. Linux Kernel Developer Kees Cook and others have made huge efforts to take hardening features that have been traditionally outside of the kernel and merge them for the kernel.
Cook provides a summary of all the new hardening features added with every kernel released. Hardening the kernel is not enough, new features need to be enabled to take advantage of them which is not happening.
A stable kernel is released every week at the official Kernel website. Then, companies pick one to support for a longer period of time for enabling device manufacturers to take advantage of it.
However, Hartman observed that barring Google Pixel, most Android phones don’t include the additional hardening features, making all those phones vulnerable. He added that companies should enable these features.
Hartman stated: “I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel,” he said. “I’m working through the whole supply chain trying to solve that problem because it’s a tough problem. There are many different groups involved — the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people.”
However, the big vendors like Red Hat and SUSE keep the kernel updated which have these features.
The kernel community is also working with Intel to mitigate Meltdown and Spectre attacks. Intel changed its approach in how they work with the kernel community after these vulnerabilities were discovered. The bright side to this is that the Intel vulnerabilities proved that things are getting better for the kernel community. More testing is being done, patches are being made and efforts are put to make the kernel as bug-free as possible.
To know more, visit the Linux Blog.