{"id":680,"date":"2017-11-20T17:45:44","date_gmt":"2017-11-20T17:45:44","guid":{"rendered":"https:\/\/securitycurve.com\/?p=680"},"modified":"2017-11-20T17:45:44","modified_gmt":"2017-11-20T17:45:44","slug":"linus-and-the-stupid-security-people-thing","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=680","title":{"rendered":"Linus and the &#8220;stupid security people&#8221; thing"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright lazyload\" data-src=\"https:\/\/i.imgur.com\/oT6fVmX.jpg\" width=\"351\" height=\"567\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 351px; --smush-placeholder-aspect-ratio: 351\/567;\" \/>There&#8217;s an interesting discussion going on in the Linux Kernel email list.\u00a0 Normally, the intimate details of Linux kernel development don&#8217;t make it to the security trade media (let alone the mainstream media), but this one did.\u00a0 For example, <a href=\"https:\/\/www.theregister.co.uk\/2017\/11\/20\/security_people_are_morons_says_linus_torvalds\/\">The Register is covering it.<\/a><\/p>\n<p>First, the backstory.\u00a0 Kees Cook (security engineer on ChomeOS), Debian developer, and Ubuntu security maintainer) and Linus Torvalds (Linux kernel author\/maintainer) had a back and forth this weekend over a set of Linux hardening features (specifically, hardening features for usercopy).\u00a0 The feature is designed to <a href=\"https:\/\/www.phoronix.com\/scan.php?page=news_item&amp;px=Hardened-Usercopy-Linux-4.8\">do a bunch of stuff<\/a>, but notably: catch heap overflows, prevent kernel modification, and enforce memory boundary checking.\u00a0 Seems like a useful feature.\u00a0 The current debate though is what should the behavior be if it fails.\u00a0 It&#8217;s written (currently) such that it&#8217;ll warn, with the idea that in the future it&#8217;ll kernel panic.<\/p>\n<p>The <a href=\"http:\/\/lkml.iu.edu\/hypermail\/linux\/kernel\/1711.2\/01325.html\">full exchange<\/a> is worth reading through in detail, but the reason it&#8217;s in the news is mostly Linus&#8217; responses about security people not &#8220;doing sane things&#8221; and the fact that his response was a bit on the vitriolic side.\u00a0 Specifically, per the <a href=\"http:\/\/lkml.iu.edu\/hypermail\/linux\/kernel\/1711.2\/01701.html\">Linus reply<\/a>:<\/p>\n<blockquote><p>So honestly, this is the kind of completely unacceptable &#8220;security person&#8221; behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been&#8230;\u00a0Some security people have scoffed at me when I say that security problems are primarily &#8220;just bugs&#8221;.\u00a0 Those security people are f*cking morons. Because honestly, the kind of security person who doesn&#8217;t accept that security problems are primarily just bugs, I don&#8217;t want to work with. If you don&#8217;t see your job as &#8220;debugging first&#8221;, I&#8217;m simply not interested.<\/p><\/blockquote>\n<p>He goes on to say:<\/p>\n<blockquote><p>The primary focus should be &#8220;let&#8217;s make sure the kernel released in a year is better than the one released today&#8221;&#8230;\u00a0the hardening efforts should instead _start_ from the standpoint of &#8220;let&#8217;s warn about what looks dangerous, and maybe in a _year_ when we&#8217;ve warned for a long time, and we are confident that we&#8217;ve actually caught all the normal cases, _then_ we can start taking more drastic measures&#8221;.<\/p><\/blockquote>\n<p>There are a few reasons why I think this is interesting.\u00a0 First, there&#8217;s the argument itself.\u00a0 To discuss it analytically and objectively though, you have to be willing to at least consider the other side of the argument.\u00a0 Which, frankly, Linus&#8217; response makes it a little hard to do because of the metacognitive dynamics of how he phrased his position.\u00a0 Those dynamics themselves are interesting too &#8212; but for a totally different reason.\u00a0 Lastly, it&#8217;s interesting because of synecdoche (i.e., &#8220;part represents the whole&#8221;).\u00a0 This whole exchange is a crystallized moment that is, writ small, the essence of the back and forth discussion that many products have about security vs. functionality trade-offs. It&#8217;s worth talking about those because customers are often unhappy with the &#8220;security&#8221; of what they buy or use &#8212; and they might not understand that a discussion just like this one is the reason why that product is the way it is.<\/p>\n<p>Anyway, let&#8217;s start with Linus&#8217; point.\u00a0 Is he right in saying that security issues are just bugs?\u00a0 I think fundamentally he is, but I will note that it&#8217;s nuanced.\u00a0 Let&#8217;s start with what&#8217;s easy.\u00a0 \u00a0We all know there are few different potential types of security &#8220;issues&#8221; that could happen: coding issues (e.g. injection issues and the like), logic issues (for example, behavior that isn&#8217;t constructed in such a way as to mitigate potential attack paths), features that don&#8217;t behave as advertised or that allow an attacker to misuse the architecture or the implementation.\u00a0 Those are clearly bugs.\u00a0\u00a0It gets a little murkier though when we include security functionality as well in the discussion.\u00a0 For example, philosophically &#8212; are missing features (i.e. those that would be required to meet a reasonable security baseline based on how the product will be used) &#8220;bugs&#8221;?\u00a0 For example, say I were to author a web server that didn&#8217;t support TLS.\u00a0 Is it a &#8220;bug&#8221; that someone could snoop on the traffic?\u00a0 Meaning, would it be a request for a new feature (ergo, an improvement) to add it?\u00a0 Or is adding TLS addressing a bug?\u00a0 I think the answer is based on usage and the claims made about how it is supposed to function.<\/p>\n<p>For example, it&#8217;s probably hard to argue it isn&#8217;t a bug if the web server example above is an e-commerce application advertised as &#8220;a secure, hardened e-commerce platform fully in compliance with the PCI DSS.&#8221;\u00a0 In that case, failing to implement a clearly-necessary feature to meet the goals of the product and expectations of the user community is a bug.\u00a0 The expectations the user has dictates that.\u00a0 We&#8217;ve set up the expectation that it behave a certain way &#8212; so, it not doing so is a bug.\u00a0 But it&#8217;s almost entirely dependent on what we&#8217;ve said about it and how the user expects it to behave.<\/p>\n<p>Now, in the case of a general purpose OS, the usage is undefined.\u00a0 For normative usage, I think the right behavior to enforce &#8212; and what I expect as a user &#8212; is that you don&#8217;t kernel panic if there&#8217;s an issue with usercopy.\u00a0 Warn me about it first.\u00a0 Seriously.\u00a0 Warn me a lot if you want, but start with the warning (which, note is what the WARN behavior does).\u00a0 The situation might be significantly different though if it&#8217;s say, a voting system or biomedical system running something like BusyBox.\u00a0 In that case, I don&#8217;t expect a lot of modification to the user base.\u00a0 If usercopy is happening in that situation &#8211; particularly in a way that fails the check &#8211; kernel panic is probably an acceptable option.\u00a0 In fact, I&#8217;d prefer that.\u00a0 I might even prefer it if the kernel panics if someone employs usercopy in the first place.<\/p>\n<p>tl;dr?\u00a0 I agree with Linus philosophically, with the caveat that, depending on usage, it might be non-&#8220;f*cking moronic&#8221; to advocate the &#8220;panic if the check fails&#8221; position (note that nobody in this thread is arguing that&#8230;).\u00a0 I wish Linus had picked a different way to phrase this though.\u00a0 He&#8217;s set the argument up such that either you agree or you&#8217;re a moron.\u00a0 This makes it really hard for anyone to argue the alternative position.\u00a0 For example, did I argue the way I did above based on the logic or because I don&#8217;t want to Linus to think I&#8217;m a moron?\u00a0 I don&#8217;t know.\u00a0 I like to think it&#8217;s based on the logic.\u00a0 I also get it that I have a metacognitive bias based on the Millgram effect (when it comes to Linux, who&#8217;s an authority if not Linus Torvalds?), so frankly I will never truly know for sure.\u00a0 That&#8217;s interesting if you&#8217;re interested in that kind of thing (which I am).<\/p>\n<p>Finally, I think it&#8217;s interesting also because these are exactly the security\/usability tradeoff discussions that happen with every product that there is.\u00a0 On the one hand, there are folks who want it to just work &#8211; functionality is paramount and trumps enhanced security.\u00a0 On the other, there are those that feel the system is flawed if certain security-related design criteria are not met.\u00a0 Almost always, the decision is to go with the former.\u00a0 Is that always the right thing?\u00a0 For the Linux kernel, I think it is.\u00a0 Ideally, I&#8217;d prefer to have the option to enable the &#8220;kernel panic on whitelist failure&#8221;, &#8220;warn on whitelist failure&#8221; or &#8220;ignore whitelist failure&#8221; based on my particular use case.\u00a0 For BusyBox, I&#8217;d almost always prefer it be to panic (and default that way); for my desktop, I&#8217;d almost always prefer it warn (and default to that), for a teardown malware-testing virtual instance I think &#8220;off&#8221; is the right setting.\u00a0 But what&#8217;s interesting to me about it is that it represents a security vs. usability design decision &#8211; and there&#8217;s a grey area.\u00a0 I think it&#8217;s important that we recognize it has the potential to be a grey area, because that way discussion and learning happens.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s an interesting discussion going on in the Linux Kernel email list.\u00a0 Normally, the intimate details of Linux kernel development don&#8217;t make it to the security trade media (let alone the mainstream media), but this one did.\u00a0 For example, The Register is covering it. First, the backstory.\u00a0 Kees Cook (security engineer on ChomeOS), Debian developer, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[74,115],"class_list":["post-680","post","type-post","status-publish","format-standard","hentry","category-security","tag-linux","tag-stupidity"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=680"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/680\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}