(forw) [conspire] Huge Nov. 5th Washington Post article on Linux security

10 Nov 2015

      (Original at
http://linuxmafia.com/pipermail/conspire/2015-November/008218.html .)

Hey, Sam Varghese, would you like a posting on what you got wrong in
your article 'Linux security: circling the wagons'?  It's a good piece,
with only minimal sensationalism, excusable on grounds of a need for
adding some zing.  But there are things you kind of blew and
mischaracterised, including utterly missing the point and tenor of Jon
Corbet's reference to the 1999 Mindcraft affair.

You're still among my favourites, though, my good man!

----- Forwarded message from Rick Moen <rick@linuxmafia.com> -----

Date: Mon, 9 Nov 2015 18:36:21 -0800
From: Rick Moen <rick@linuxmafia.com>
To: conspire@linuxmafia.com
Subject: [conspire] Huge Nov. 5th Washington Post article on Linux security
Organization: If you lived here, you'd be $HOME already.

Four days ago, one Craig Timberg published a very, very long article in
the _Washington Post_:  'The Kernel of the Argument:  Fast, flexible,
and free, Linux is taking over the online world.  But there is growing
unease about security weaknesses.'

http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-k...

It's gotten a lot of notice, including quite a bit of deserved sarcasm,
starting with the awkward reference to 'kernel' and photo of Torvalds at
the top, even though the piece is almost entirely _not_ about the Linux
kernel.  The blunder is obvious and an easy target, but quite possibly
not even mostly of Timberg's making:  At most publications, article
authors have little or no input into the choice of title and
presentation.  OTOH, Timberg _is_ guilty throughout the piece of being
aware of 'Linux' as a kernel differing from 'Linux' as hundreds of
different suites (distros) of the kernel plus thousands of userspace
codebases, many of the latter cross-platform, and nonetheless blurring
the distinction.

This is important because if, say, you speak of a flaw on BIND9 or
Apache httpd as a problem with 'Linux', you are being either clueless or
dishonest or both unless you call it a problem with 'Linux, Windows,
MacOS, and everywhere else these programs run'.  Also, blaming the
kernel for failing to prevent the flaws in badly written userspace 
applications is a serious failure of perspective unless carefully
explained.

To jump ahead for a moment, yes, this is one of the many things Timberg
screws up -- especially the latter bit.

Herewith, a brief effort to sort out the wheat from the chaff, and
comment on both.  (I don't promise I won't cut short and bail, or 
at least switch to doing this in installments, for reasons that will be
apparent if you note the length and discursiveness of Timberg's piece.)

   critics warn that [Linux] has security weaknesses that could be
   fixed but haven't been

So nu?  This is true of every codebase ever written.  Is Timberg
ghostwriting some insider or insiders' peeve?  Next paragraph:

  Worse, as Internet security has surged as a subject of international
  concern, Torvalds has engaged in an occasionally profane standoff with
  experts on the subject. 

Torvalds has had occasionally profane standoffs with just about everyone
occasionally, but in this case I'm guessing that the people Timberg is
ghostwriting for are mainly the maintainers of the PaX and grsecurity 
out-of-tree security patchsets.

I'll mention in advance that I'm -- mostly -- a big fan of those
patchsets and the three people who maintain them.  (To my distress,
starting Sept. 2015, stable patchsets of grsecurity are available only
to paid customers and sponsors:  https://grsecurity.net/announce.php )

https://pax.grsecurity.net/  https://en.wikipedia.org/wiki/PaX
http://grsecurity.net/       https://en.wikipedia.org/wiki/Grsecurity

One cynic's take on this who article might be that it's all about
PaX Team / grsecurity people's sudden attempt to monetise their work.
Hmmm....

There is a history of Torvalds and other core kernel coders having a
difficult relationship with some dedicated security people, including
the PaX and grsecurity teams.  The latter tend to (IMO, justifiably) 
inflame this relationship by questioning the kernel's community's
handling of security bugs and the accuracy of the kernel's documentation
about security problems.  Torvalds has often expressed the view that
dedicated security people are oddballs, and he doesn't think the same
way, or want to.

And, seven short paragraphs in, Timberg switches without comment from
speaking of Linux as a kernel to Linux as an operating system.  Even
though he was talking a paragraph before about the problem being 'Linus
doesn't take security seriously', now it's:

  The rift between Torvalds and security experts is a particular source
  of worry for those who see Linux becoming the dominant operating system
  at a time when technology is blurring the borders between the online 
  and offline worlds....

Eh?  Why are the rift between Torvalds and _certain_ security experts
of concern outside the kernel?  But I need to ignore Timberg doing this,
or I'd be stuck on it for a long time.  Suffice it to say, he does this
sort of thing throughout.  Moving along:

   Even without a potential nuclear disaster, the stakes are high.
   Operating system kernels are the most essential code on any computer,
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   allowing hardware to work smoothly with multiple pieces of software.

Meaningless gibberish.  

   Now, consider this: The Linux kernel runs on the New York Stock
   Exchange, every Android smartphone and nearly all of the world’s
   supercomputers. Much of the rapidly expanding universe of connected
   devices uses Linux, as do many of the world’s biggest companies,
   including Google, Facebook and Amazon.com.

Since the only thing all those uses have in common is specifically
the _kernel_ (e.g., Android uses its own libc, and even the kernel
is pretty seriously non-standard), the rest of the piece should be 
about the kernel, right?  It's not.

Timberg has a long digression where he chides Torvalds's habit of ranting
online at any kernel regular whose kernel patch breaks userspace.
Timberg's point, the connection to kernel security, was unclear until we
reach this bit:  

  The effect of Torvalds's approach to managing the kernel -- defensive,
  gradualist, sometimes cranky -- chilled debate about the security of
  Linux even as it became a bigger, richer target for hackers.  The
  result, critics argue, is that while Linux in its early days was widely
  considered a safer choice than Windows or other commercial operating
  systems, the edge has dwindled and perhaps disappeared.

Excuse me, but Torvalds yelling at his immediate kernel-maintenance 
lieutenants over patches that break userspace has 'chilled debate about
the security of Linux'?  Such total bullshit.  Someone, e.g., perhaps
a PaX team member, has fed Timberg a passive-aggressive line and he fell
for it.  No, Torvalds yelling at his trusted lieutenants for breaking
userspace has _not_ chilled debate about the security of the Linux
kernel.  E.g., the PaX and grsecurity maintainers cheerfully state their
views on the Linux kernel mailing list without reservation, and they 
don't even get yelled at for doing so.

The grsecurity and PaX patchsets have never had a prayer of a chance of
being merged into mainline kernels.  And why is that?  Because they
change kernel semantics and break some things.  As usual, tightening
security has serious costs.  Also, the patchsets can be applied cleanly
and functionally to only _certain_ kernel releases.

This addresses, in part, the enduring rift between the core kernel team
(not, as Timberg would suggest, just Torvalds) and dedicated security
people:  The core kernel team feel that the security people are 'crazy'
in the sense of having little appreciation of the many interests that
an OS kernel must serve and the style of governance required for a
rapidly changing codebase.  Torvalds and Co., with total justification, 
feel that if they ran the kernel the way the security people wished they
would, progress would slow to a snail's pace, and a lot of functionality
would simply break.

You can already have a kernel with painfully careful attention to
security.  It also has a glacial development process, abysmal scope of
supported hardware, and regrettably bad performance.  It's called
OpenBSD.

What Timberg _could_ have reasonably said about 'debate about the
security of Linux' is not that Torvalds 'chills' it -- which is 
utter nonsense -- but rather that it tends to be frustratingly
un-fruitful because the core kernel people aren't security professionals
and lack that mindset.  Hence, the two sides of that discussion have
little meeting of the minds, and tend to talk past each other.

[Article quotes Matthew Garrett, now principal security engineer for
CoreOS, as saying that cutting edge security work hasn't been applied to
the mainline kernel, and so isn't as secure as man people would wish it
to be, and then:]

  Versions of Linux have proved vulnerable to serious bugs in recent
  years. AshleyMadison.com, the Web site that facilitates extramarital
  affairs and suffered an embarrassing data breach in July, was reportedly
  running Linux on its servers, as do many companies.

  Those problems did not involve the kernel itself, but [...]

Hey, Mr. Timberg?  What did you just do there?  The kernel hasn't had as
good a security record as it might, says Garrett, and so just look at
the compromise of AshleyMadison.com!  Except, of course, that (very,
very probably) didn't involve the kernel.  (To the best of my ability to
tell, the compromise vector used for AshleyMadison.com was never
disclosed and might not even be known.  In my experience of such cases, 
it's astronomically more likely to be some stupid administrative error,
an inside job, or bad userspace code than a kernel security problem.)  
So, what are you saying, Mr. Timberg?  He goes on:

  [...] but experts say the kernel has become a popular target for
  hackers building 'botnets,' giant networks of computers that can be
  organized to initiate cyberattacks.

And your point is what, Timberg?

By the way, as someone who's done security for a long time, the Linux
kernel is, on balance, one of the components I worry _least_ about.
And for critical systems, there are hardening kits (including PaX and,
until just recently, grsecurity).  Kernels are almost never the problem.
The problem overwhelmingly is vulnerable, badly designed, and/or
ridiculously overfeatured applications.

It should also be noted carefully that the hardening strategies
typically concentrate _mostly_ (verging on overwhelmingly) on making the
Linux kernel better protect vulnerable userspace code from successful
attacks from outside -- mitigating application exploits.  Almost none of
the work is directed at fixing kernel correctness and mitigating kernel
exploit modes.  Ironically, the only clear example of the latter I can
point to came _from a mainline kernel coder_, Andrea Anrcangeli, and is 
a kernel feature (since 2.6.12, this past March) called 'secure
computing mode' or 'seccomp'.  It is -- finally -- a totally effective
sandboxing security for application code.  See:

https://en.wikipedia.org/wiki/Seccomp

This came from the Torvalds camp.  It did _not_ come from the security
malcontents who bitched to reporter Timberg.

In the former category, protecting vulnerable application code from its
own bugs being exploitable, the kernel already does quite a bit, such as
ASLR (randomizes the physical and virtual address at which the
kernel image is decompressed) and NX (No-eXecute bit marking stretches
of memory that shouldn't be executed as not valid to be executed by the
CPU).  Though neither of these is foolproof.

By the way, support for NX is one major advantage that's come painlessly
with x86_64, and is yet another reason to lose those ancient IA32 boxen
-- though the PaX patchset makes NX work on (some?) IA32 boxes.  

Kees Cook has been starting to coordinate information about both types
of kernel-based protective techniques:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
And for four years, there has been an active and influential
kernel-hardening mailing list:
http://www.openwall.com/lists/kernel-hardening/

Timberg stresses that Torvalds doesn't want to merge a number of such
out-of-tree security patchsets.  OK, and your point, Mr. Timberg?  Do 
you think everyone has to run a mainline kernel for security-sensitive
applications?  Because we don't.  (Users overwhelmingly don't run
kernel.org kernels _anyway_.  They run vendor kernels, which typically 
merge some non-mainline security patches but not others.)

Timberg's basic song is that kernel security could be better.  Well,
gosh, welcome to the real world, Mr. Timberg.  Security of any codebase
could always be better.  The question is cost, in time, money,
complexity, difficulty of debugging, adverse consequences on other code,
and similar things.  Security is always an economic calculation.  

Add hardening, add role-based access controls, reduce risky and unwanted
functionality, and you put a much bigger burden on users and
administrators to know what they're doing.  This is a reason why the
patchsets aren't default.  This is why even the biggest adopters of
SELinux (RHEL, Fedora) apply it only very tentatively ('targeted
policy').

Timberg quotss Kees Cook as describing the horrors of what an attacker
could do who 'gained control of the Linux kernel itself' without
bothering to say that this is like saying 'If I had wings and really low
gravity, I could fly.'

  [Grsecurity's Brad Spengler] soon demonstrated how nearly a dozen
  known Linux coding bugs could be exploited by malicious hackers to
  defeat external defenses and take control of the kernel. 

Yes?  Where?  I read LWN.net and that I seem to recall this is a serious
exaggeration.  Let's see, 2010 interview with Spengler:

'The only comments I make are on LWN (like when Ingo was spreading lies
about the perf_counter vulnerability) or in exploit headers, because
they seem to respond to that (or rather, the commercial influences care
about the media publicity generated by such things, which causes them to
improve security). It took 8(!) public exploits for null pointer
dereference bugs to be fixed as a privilege escalation vector. Granted,
after the first public exploit, mmap_min_addr was introduced some months
later, but the Linux developers who aren't really security people aren't
very good at introducing security features. mmap_min_addr has had at
least half a dozen different bypasses since its inception for such a
small, simple feature.'

https://slo-tech.com/clanki/10001en/

So, misrepresentation by Timberg (probably out of lack of comprehension)
of what Spengler showed.  Layman's explanation:
http://www.zdnet.com/article/linux-exploit-gets-around-security-barrier/

LWN.net coverage:  http://lwn.net/Articles/341773/

In short, privilege-escalation.  Privilege escalation is a Very Bad
Thing, but is not the same as 'coding bugs [that] could be exploited by
malicious hackers to defeat external defenses and take control of the
kernel'.  That is a gross exaggeration.

It should also be mentioned that Spengler's beef was primarily with Red
Hat's '2.6.18' vendor kernel (which the exploit sliced through without 
regard to SELinux), _not_ with kernel.org's tree, which had already been
patched for 11 days to fix that very problem, when he published his
exploit.  See:  http://lwn.net/Articles/341912/

   Torvalds also resisted suggestions that security deserved a special
   place in the hierarchy of concerns faced by software makers. All
   flaws, in his view, were equally serious. 

Bullshit.  This is not his view.

  This attitude was enshrined in a public posting in July 2008 that
  said: "I personally consider security bugs to be just ‘normal bugs.’ I
  don't cover them up, but I also don’t have any reason what-so-ever to
  think it's a good idea to track them and announce them as something
  special."

This is simply not the same as claiming that all flaws are equally
serious -- and Timberg either knew this when he made the claim or should
have.

  But in his recent interview with The Washington Post, Torvalds
  rejected the notion that bugs could be usefully sorted into categories.
  "I refuse to waste a second of my life -- or any other developer's life 
  -- trying to classify something that can’t be classified," he said.

Torvalds has some significant justification for his view, as Timberg
would know if he either studied security or consulted more people about
the story than just a couple of security folk with grudges.  I'm
guessing Torvalds's view is that attempting to highlight a specific class
of 'security' bugs would be futile because it's often very non-obvious 
at the time of discovery what bugs will turn out to have security
implications, and the time required to make that determination would be
better spent just fixing the bugs and moving on.  And there are decades
of history that tend (for the most part) to support Torvalds in this
view.

   Despite providing a steady supply of defensive innovations, Spengler
   did not become a popular figure within the upper reaches of the Linux
   community, where he was seen as extreme in his views and sometimes
   brittle in his manner.

Well, he is.  His comments pretty much everywhere come across as
sarcastic and bitter.

  There is no systemic mechanism for identifying and remedying problems
  [in the Linux kernel] before hackers discover them, or for 
  incorporating the latest advances in defensive technologies. And 
  there is no chief security officer for the Linux kernel.

Nor is there a Santa Claus.[1]

Chief security officers, where they exist, tend to be preplanned
scapegoats for whenever the next security catastrophe occurs.  Because,
honestly, what organisation is make the guy actually the project czar?
That just doesn't happen, so inevitably it's an advisory position
without significant decision authority -- and a scapegoat. 

  In the years since Spengler and others began warning about the
  security of Linux, it has triumphed in the marketplace. Google
  released its first version of the Android mobile operating system,
  which is based on Linux, in 2007, allowing Torvalds's work to reach
  hundreds of millions of smartphones each year. Google also made the
  kernel the basis of Chrome OS, which is used in an increasingly
  popular category of cloud-based computers called Chromebooks.

Of course, these are significantly modified _forks_ of Torvalds's work.
Now, watch for the hat-trick where Torvalds & Co. get slagged for 
not only the forked Google kernels but also for Google's notoriously lax 
userspace third-party ecosystem.  Cue it in one... two...

...Three!

  Hackers are more likely to prey upon Oracle's Java and Adobe's Flash
  and Acrobat. 

All of which are extremely deprecated in standard Linux -- because they
are security basket cases, and not safe to expose to arbitrary files on
the Internet.  (I don't know about Acrocrud on Android and ChromeOS, but
I doubt it.)

  More recently, in 2014, Linux devotees were unhappy to discover that
  an Italian surveillance company called Hacking Team had swiftly turned
  a Linux exploit known as "towelroot" into a skeleton key capable of
  gaining access to hundreds of millions of Android phones. 

Which involved Android's failure to patch a June 2014 Linux kernel bug
(CVE-2014-3153) in the futex subsystem (fast userspace mutex locking)
that could be exploited by a local process to escalate to root
privilege.  All distros already had fixed kernels out by the time
CVE-2014-3153 was published on June 5, 2014.  It was a ghastly coding
error, and a serious failure -- but the point is that standard Linux 
fixed it promptly.  

Why didn't Android?  The answer to that is easy and has everything to do
with the Google code ecosystem and nothing to do with Linux:  It
happened because the Android ecosystem has a horribly broken approach to 
code maintenance -- unlike standard Linux.  This is less Google's fault
than it is the institutional laxity built into Google's basic agreement
with the Open Hardware Alliance OEMs, in which the OEMs are in the
driver's seat and not Google.

A hardened variant of CyanogenMod (which itself is a totally open source
variant form of Android) now exists, called CopperheadOS:
https://copperhead.co/android/  I don't know whether their hardened
kernel would have evaded the rather ghastly CVE-2014-3153 bug, even
though the project boasts 'a PaX kernel, OpenBSD's hardened allocator
and compiler hardening features'.  But for damned sure, the project's 
far more likely to actively respond to serious problems than regular
Android in the field is, since the latter's functionally little
different from 'Use what got preloaded until the device dies.'

It should be mentioned in passing that kernel problems in Android don't
even rate:  The real problem in Android is the ubiquitous attitude of it
being OK to run any old code, proprietary or not, out of anywhere.  This
guarantees security problems that dwarf anything involving the kernel.

[skipping discussion of a August 2015 Linux Security Summit keynote
address about lurking security problems by Linux Foundation sysadmin
Konstantin Ryabitsev[0], and some reactions to that keynote]

  "We have some measures in place, although we are really not doing
  everything we can," wrote James Morris, maintainer of Linux's
  exterior defenses against attackers. 

That is _not_ James Morris's remit, by the way.  Timberg once again did
not bother to do basic fact-checking.   Morris maintains the LSM (Linux
Security Modules) subsystem, the kernel's interface for access control
software such as SELinux.[1]  LSM is sometimes inaccurately described as 
'Linux's security subsystem' -- as if security can be accomplished by 
containing it within a subsystem -- so Timberg probably picked up the
grossly inaccurate description from one of those.  But it's yet another
thing he flubbed by not doing fact-checking.

Good article by Morris, putting LSM in context:
https://www.linux.com/learn/docs/727873-overview-of-linux-kernel-security-fe...

Timberg cites an encounter between Kees Cook and Torvalds at the 2015
Linux Summit, where Cook promoted some ideas from Morris's Linux
Security Summit keynote, including some specific items from PaX /
grsecurity, and:

  The ability to make the kernel execute code in user-space memory is
  exploitable. The best solution here can be hardware segmentation;
  Intel's "supervisor-mode execution prevention" and ARM's "privileged
  execute never" can both block execution from user-space memory.
  Instrumenting the compiler to set the high address bit on all kernel
  function calls can block calls into user-space memory (since the
  kernel's address space is at the upper end of the virtual address range,
  while user space is at the bottom). Kees also suggested emulating
  segmentation by using separate page tables for user mode and kernel
  mode; Linus jumped in at this point to say that this is the kind of idea
  that makes security people look crazy; such an approach would never
  perform well. He suggested avoiding talking about ideas that will
  clearly never make it into the mainline.

http://lwn.net/Articles/662219/

It's speculative _how_ big a performance hit this radical idea would
exact, but big, anyway.  And Torvalds has a point:  huge hits to
performance just so the kernel can compensate for egregious coding
errors in some applications would be wildly unpopular in 
_general-usage_ kernels.  Timberg portrays this as if it were a
questionable reaction:

  There was a revealing moment, however, when Cook raised the
  possibility of adding an especially intrusive feature long offered by
  Grsecurity. Torvalds immediately spoke up, saying this was "the kind of
  idea that makes security people look crazy," according to LWN.net, a
  site that follows Linux issues.

Some 'security' patches don't have big performance hits or have serious
functionality impact.  To my knowledge, they get mainlined just as often
as any other patches -- but part of the point of Torvalds's 'a bug is a
bug' (and therefore a bug labelled 'security' is per-se just a bug)
attitude that the security gang dislike is that just about _any_ bug
might turn out to have security implications, so why privilege some just
because of whom they arrive from, or what tag someone attaches, without
other reasons?

'Security' patches certainly do get mainlined.  They have an easier time
doing so if credibly introduced on LKML, and easier if they are modest
in scope rather than a huge stupendous change all at once, and easier if 
they don't break userspace.  If those conditions aren't met and the
security practitioner in question gets impatient, maintaining a patchset
out-of-tree still works.  Just ask the PaX / grsecurity people.  Who, 
by the way, aren't even proposing their patches on LKML because they
want to get paid mucho dinero for doing so (see:
https://lwn.net/Articles/538600/), so it's not surprising they don't get
mainlined.  So, what's the complaint, again?

Timberg closes with a comparison of the Linux ecosystem to the city of
Troy, and rhetorically asks who's protecting the Trojans?  

Well, Mr. Timberg, those who want the occasional serious inconveniences
and reduced performance of including the more-far-reaching security
patchsets are doing so, on their security-sensitive systems.  Those who
care less about hardening, which is _mostly_ protecting badly written
userspace applications from the consequences of those bugs, aren't.
It's called choice and diversity.  Some people aren't used to it.

It's nowhere near perfect, and there are bugs in all code, and death and
taxes also exist.  And no surviving citizens of Troy, either.

I'll let Spender have almost the last word, because even though he's a
cranky-pants gadfly with a questionable sense of perspective, I like him
anyway.  Slides:  https://grsecurity.net/spender_summit.pdf

And I'm going to be curious what security-sensitive people do to
compensate for the sudden restricted availability of grsecurity.

But in conclusion:

Sure, security in the Linux kernel is a huge, fat mess, there are 
problems that persist for rather too long, and there have been far too
few attempts at _systemic_ improvement as opposed to the patch-and-pray 
treadmill.  Same old.  Timberg seems to _want_ to imagine a magic world 
where everyone can be made simultaneously happy with a single
reformed/refactored kernel source tree arrived at without major delays
and expense.  Worse, he blames a bunch of things on Torvalds & Co. that
are not within their remit at all.  Worst of all, Timberg served mostly
as a stalking horse for a little gang of security people with grievances
but no real clue how to run a kernel project and why.  These are _my_
kind of malcontents, but I'm aware that they're out of their depth when
they suggest Torvalds & Co. are running the project wrong.  Timberg
isn't, and IMO got taken for a ride.

We needed a good article about the perennial standoff between the core
kernel people and security specialists.  This was about 1/3 of one.
There are real concerns.  This article at least puts them on the table,
though it does a poor job of discussing them.

[0] See also http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
Highly recommended, and extremely funny & wise stuff.  I have lived this.

[1] It would be an excellent if antiquated gag to rename a village
within the Commonwealth of Virginia to be called 'Santa Claus,
Virginia'.  Except, you'd never be able to find it with a search engine.

[2] Morris is also maintainer of sVirt for virtualisation software and of
the kernel crytographic API, has done work on SELinux, and does other
security work in the kernel.  I don't want to denigrate his work, which
is important.  He's a Red Hat employee living in Sydney.

_______________________________________________
conspire mailing list
conspire@linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire

----- End forwarded message -----