How Linux Kernel Development Impacts Security
At CoreOS Fest, Greg Kroah-Hartman, maintainer of the Linux kernel, declares that almost all bugs can be security issues
The Linux kernel is a fast moving project, and it’s important for both users and developers to quickly update to new releases to remain up-to-date and secure. That was the keynote message Greg Kroah-Hartman, maintainer of the stable Linux kernel, delivered at CoreOS Fest on May 9 here.
Kroah-Hartman is a luminary in the Linux community and is employed by the Linux Foundation, publishing on average a new Linux stable kernel update every week. In recent years, he has also taken upon himself the task of helping to author the “Who Writes Linux” report that details the latest statistics on kernel development. He noted that, from April 2015 to March 2016, there were 10,800 new lines of code added, 5,300 lines removed and 1,875 lines modified in Linux every day.
“We’re modifying Linux really, really fast,” Kroah-Hartman said.
He emphasized that the rate of change isn’t because of vanity, but rather is due to a real need to evolve. The world of technology is constantly changing with new approaches, hardware and needs, and as such Linux has to keep pace.
Change of pace
“If your operating system does not change, it is dead,” Kroah-Hartman said.
The Linux kernel community manages the rapid rate of change by way of an incremental change process and time-based releases. On average, there has been a new mainline Linux kernel release every two and a half months for the past 15 years. Even with all that change, there is a lot of stability as a primary goal is not to break existing APIs.
A typical kernel release cycle is made up of approximately seven release candidates, and the majority of the two-and-a-half-month cycle is about bug fixing. Once a new kernel is released by Linux creator Linus Torvalds, Kroah-Hartman maintains the stable kernel, which itself continues to get patched. Once a year, Kroah-Hartman selects a new kernel to become a long-term kernel, which he then maintains for two years with fixes.
“I do a stable release once a week with about 100 to 150 patches,” Kroah-Hartman said. “It’s a lot of stuff changing and being fixed.”
From a security perspective, the rate of change and bug fixes are also noteworthy, as Kroah-Hartman emphatically said almost all bugs can be a security issue. Because he doesn’t always know which bug could be a security vulnerability, he said all patches are important.
“When we push out the fixes, you better take advantage of it,” Kroah-Hartman said. “If you are not using a stable, long-term kernel, your machine is insecure.”
Unfortunately, not every vendor that makes use of Linux keeps up with the rate of change. A case in point is Android phone vendors, which have a history of not patching for upsteam Linux kernel issues in a timely manner. For example, in March, Google issued an Android security update for a Linux kernel flaw that was first patched in 2015.
While Android can be slow at patching, Kroah-Hartman praised Google’s Chromebook for rapid updates for Linux issues.
Overall, he noted that there is a need for “airbags” in Linux that can cushion the blow of security issues. To that end, there are multiple Linux efforts including SELinux (Security Enhanced Linux) that can help limit security risks. There is also a broader effort underway called the Kernel Self Protection Project that aims to help protect Linux. Items from the project are finding their way into the mainline of Linux to help minimize the impact of security bugs, according to Kroah-Hartman.
“If you aren’t changing, you’re dead,” he said. “You have to change, you have to keep up, and that’s why the kernel keeps changing.”
Originally published on eWeek.
Are you a security pro? Try our quiz!