> The systems using a Linux kernel are right now running with security flaws. Those flaws are just not known to the developers yet, but they’re likely known to attackers.
I don't understand where he's deducing the second sentence from.
I guess it's the de-facto assumption with security vulnerabilities - if the vulnerability exists, there's a decent chance that someone knows about it and is using it. I'm not sure if there are any stats (retrospectively) about how "decent" that chance is.
Definitely would be true for all projects. That said, perhaps with Linux's omnipresence and role, it'd be very high on the target list (thus making it more true here).
I didn't really read the sentence that way though - it felt more like a clarification on why the number of vulnerabilities tend towards zero. Known vulnerabilities are few in number, but this doesn't mean it's vulnerability free.
I wouldn't say "all projects". The statement is based on that they introduce and remove vulnerabilities at a certain rate. A project that introduces less vulnerabilities or finds them faster would be less likely to have privately known vulnerabilities at any given time.
Good point. Though without perfect hindsight (or looking at any given time), it's certainly possible that there are entire categories of privately known vulnerabilities which are not even on the public radar. So it's quite possible that the rate at which known vulnerabilities are fixed might be very misleading. I guess they would offer a good base for the discussion nevertheless.
Sure, or if you find a way to find certain vulnerabilities quicker. A bug with 5 year life span that you can find in 1 month doesn't require you to find them too frequently and more projects that fixes such bugs in 1 year will also be vulnerable.
This is what I would assume someone like the NSA does. They would have calculated a window of where it's most advantageous for them to find a bug and will then spend the resources at that time. Both in terms of bug life time and severity, but also user share.
I didn't interpret it that way at all. It's an article about flaws in the linux kernel, so it's quite natural the sentence was formed the way it was - without meaning to imply that it is true only for Linux.
1. No matter how many eyeballs you put on a bug, it does not become more shallow
2. Each bug lives on average for 5 years
This makes it probable that whomever puts enough resources on researching for bugs discovers them _before_ the developers find it out: 5 years is a very long time in terms of security assessments. It is reasonable to assume there are actors with enough such resources - these aren't necessarily neither large, e.g. states, nor malicious. They could be, for instance, independent researchers aiming to improve the kernel. That's what makes it probable these flaws are likely known to malicious 3rd parties.
I don't think it would be possible; one of the interesting parts of the article's graph is the 'creation time' of the vulnerability, but there's no corresponding public data for Windows vulnerabilities.
It would be interesting, but a very tricky comparison to make as the Linux kernel and full OS' like Windows or OSX is not really a like-for-like comparison.
Windows and OSX cover large areas of functionality not really covered by the linux kernel (e.g. windowing systems) and the Linux kernel covers a wider range of devices than Windows or OSX so will have more a larger driver base.
Looking at the charts provided, out of 34 fixed bugs of "high importance" only 8 have been introduced in the last 5 years (i.e. after v3.0). So 75% of security fixes are for "legacy" bugs that have been introduced forever ago. The same ratio seems to hold true for the charts of "mid" and "low" importance (bit hard to tell with that resolution).
Over the same period, the kernel codebase grew from 8M LOC to 22M LOC. I'm not sure how to interpret this gap in security issues between the old "small" code vs the new massive code. Either kernel developers are a great deal more careful and the new code has a great deal fewer bugs, or we are about to get hit with a massive backlog of disclosures that bad guys are quietly piling up.
I believe most of that growth has been in the /drivers section of the kernel. While a driver can still root your kernel, the chance of one affecting you is much lower, unless it is one of the generic/common ones.
Let's say for simplicity's sake that _every_ bug needs exactly five years until it is found. This means that you will see zero bugs introduced in the last five years -- they haven't been found yet!
Time is on the vertical axis (labeled with kernel versions that were released at that time instead of date). Horizontal axis is just an arbitrary bug number. It seems bugs are ordered first by severity and then by time they were fixed.
30 comments
[ 2.0 ms ] story [ 75.3 ms ] threadI don't understand where he's deducing the second sentence from.
I didn't really read the sentence that way though - it felt more like a clarification on why the number of vulnerabilities tend towards zero. Known vulnerabilities are few in number, but this doesn't mean it's vulnerability free.
This is what I would assume someone like the NSA does. They would have calculated a window of where it's most advantageous for them to find a bug and will then spend the resources at that time. Both in terms of bug life time and severity, but also user share.
This happened many times for both closed on open source projects. Not surprisingly, given how much is paid for a 0-day.
1. No matter how many eyeballs you put on a bug, it does not become more shallow
2. Each bug lives on average for 5 years
This makes it probable that whomever puts enough resources on researching for bugs discovers them _before_ the developers find it out: 5 years is a very long time in terms of security assessments. It is reasonable to assume there are actors with enough such resources - these aren't necessarily neither large, e.g. states, nor malicious. They could be, for instance, independent researchers aiming to improve the kernel. That's what makes it probable these flaws are likely known to malicious 3rd parties.
I doubt it, but it would be interesting to compare nontheless.
See this talk: https://www.youtube.com/watch?v=3Sx0uJGRQ4s
Windows and OSX cover large areas of functionality not really covered by the linux kernel (e.g. windowing systems) and the Linux kernel covers a wider range of devices than Windows or OSX so will have more a larger driver base.
Various closed source vendors discourage that even to the point of suing people for reporting vulns while keeping known ones secret.
In 2013 they paid out $100k to a single researcher for a set of bug reports.
So I don't think in a comparison of OS-->OS bugs that factor would really apply
Over the same period, the kernel codebase grew from 8M LOC to 22M LOC. I'm not sure how to interpret this gap in security issues between the old "small" code vs the new massive code. Either kernel developers are a great deal more careful and the new code has a great deal fewer bugs, or we are about to get hit with a massive backlog of disclosures that bad guys are quietly piling up.
I believe most of that growth has been in the /drivers section of the kernel. While a driver can still root your kernel, the chance of one affecting you is much lower, unless it is one of the generic/common ones.
[1] http://imgur.com/a/pdvFP
I know this is probably meant to be read by people who know more about the subject than me, but adding some axis labels wouldn't hurt.
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Pro...
https://outflux.net/blog/archives/2016/10/20/cve-2016-5195/