[gentoo-security] Kernel Security + KISS

[gentoo-security] Kernel Security + KISS

[Casey Link]

After reading the tangent topic in bug id 209460 concerning kernel
vulnerabilities and GLSAs I did some searching and
came across the "Kernels and GLSAs" thread from awhile ago.

I understand the logic behind not including kernel vulnerabilities in
regular GLSAs but in that thread
an up and coming solution (KISS) was mentioned. That was back in 2005
and now according to the Gentoo Kernel Security sub-project page the
project is stalled. Whatever happened to the KISS project?

I think notifying users of relevant kernel vulnerabilities is
important and I would like to help if possible. What is the current
state of things regarding kernel vulnerability reporting?


Casey Link
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Calum]

On Feb 16, 2008 10:57 PM, Casey Link <unnamedrambler@gmail.com> wrote:
> After reading the tangent topic in bug id 209460 concerning kernel
> vulnerabilities and GLSAs I did some searching and
> came across the "Kernels and GLSAs" thread from awhile ago.

And here's another one:

http://archives.gentoo.org/gentoo-security/msg_b4dcb17d4fef48ce663b9352870be6a8.xml

I started this one, and share the same views as then.
It might be boring work, (and no, I can't do it - I'm just a user of
Gentoo), but it's just strange to leave out the core on which all
other packages utilise, and depend on.

Perhaps a compromise could be reached: Only serious vulnerabilities,
in defaultly/commonly/always used parts of the kernel, causing local,
or remote root escalations would be notified?

Ddos in raid-xyz.o on MIPS only in 2.6.16-rc2-mm-test - doesn't matter.
local root in splice.c on x86/amd64 affecting 95% of kernel users - does matter.

In fact, I'd prefer that to the old
create-a-GLSA-for-every-kernel-problem solution.

Anyway, it's late, and I'm tired, and I'm not detracting from the
great job the security team do (and especially the Hardened guys), but
it's nice to have just a one-stop-shop to know if you're running
secure versions of things. (*Yes, having sources-x.y.z installed
doesn't mean that you're running it, but at least it'll force you to
install the sources to stop glsa-check from bitchin' :) - and then,
well, if you don't compile, build, and run it, well, that's your own
fault. )

C

--
http://linuxvps.org/
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Sune Kloppenborg Jeppesen]

On Saturday 16 February 2008, Casey Link wrote:
> I understand the logic behind not including kernel vulnerabilities in
> regular GLSAs but in that thread
> an up and coming solution (KISS) was mentioned. That was back in 2005
> and now according to the Gentoo Kernel Security sub-project page the
> project is stalled. Whatever happened to the KISS project?
I sadly died before going live and the original kernel developer left.

> I think notifying users of relevant kernel vulnerabilities is
> important and I would like to help if possible. What is the current
> state of things regarding kernel vulnerability reporting?
I agree. However we need people with kernel knowledge and time to handle 
security issues for all kernel sources.

Anyone interested should mail security@gentoo.org. 

-- 
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Eduardo Tongson]

What specific kernel knowledge is needed to get a Kernel advisory up
and running ?

   Ed

On Feb 18, 2008 1:46 AM, Sune Kloppenborg Jeppesen <jaervosz@gentoo.org> wrote:
> On Saturday 16 February 2008, Casey Link wrote:
> > I understand the logic behind not including kernel vulnerabilities in
> > regular GLSAs but in that thread
> > an up and coming solution (KISS) was mentioned. That was back in 2005
> > and now according to the Gentoo Kernel Security sub-project page the
> > project is stalled. Whatever happened to the KISS project?
> I sadly died before going live and the original kernel developer left.
>
> > I think notifying users of relevant kernel vulnerabilities is
> > important and I would like to help if possible. What is the current
> > state of things regarding kernel vulnerability reporting?
> I agree. However we need people with kernel knowledge and time to handle
> security issues for all kernel sources.
>
> Anyone interested should mail security@gentoo.org.
>
> --
> Sune Kloppenborg Jeppesen
> Gentoo Linux Security Team
>
> --
> gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Robert Buchholz]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

On Sunday, 17. February 2008, Eduardo Tongson wrote:
> What specific kernel knowledge is needed to get a Kernel advisory up
> and running ?

Between becoming aware of a vulnerability in Linux and drafting an advisory 
for one or all kernel sources comes the part where you review which 
versions of which kernel sources are affected and unaffected. You also 
need to pay attention to specifics of the added patchsets, which might 
duplicate vulnerabilities.

Parts of the job can indeed be done without Kernel and C knowledge, but 
some cannot. So if we draft a new kernel security *team*, people without C 
and kernel knowledge are helpful -- some others need to have it, though.

Robert



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Kernel Security + KISS

[Harlan Lieberman-Berg]

On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > What specific kernel knowledge is needed to get a Kernel advisory up
> > and running ?
>
> Between becoming aware of a vulnerability in Linux and drafting an advisory
> for one or all kernel sources comes the part where you review which
> versions of which kernel sources are affected and unaffected. You also
> need to pay attention to specifics of the added patchsets, which might
> duplicate vulnerabilities.
>
> Parts of the job can indeed be done without Kernel and C knowledge, but
> some cannot. So if we draft a new kernel security *team*, people without C
> and kernel knowledge are helpful -- some others need to have it, though.
>
> Robert

To be honest, 99% of what is done in the kernel security team can be done with 
no C knowledge at all.

I'm not an expert C person - far from it - but I eventually became the head of 
Kernel Security until I retired a few months ago.

Most of it is bug handling.  The major problem is a social, not a technical 
one.  Because of the manner in which our kernels are organized, a single 
vulnerability involves checking upstream version numbers, coordinating them 
into our downstream version numbers for all sources, checking to see if the 
sources are effected, figuring out who to CC for the bugs, then harassing 
them until they do it.

Unlike other security sources, any attempt to hardmask the package is shutdown 
instantly.  The chaos that would result from a kernel hardmask, even one of 
the lesser used ones, caused me to only successfully order one over my entire 
career in Gentoo Kernsec... even though more around 30 would have been 
needed.  It is not infrequently that bugs will last six months without any 
action coming about them, and users are blissfully unaware.

I am happy to give my input as the former head of Kernel Security, but it is 
my personal opinion that any advances in kernel security will require the 
full cooperation of security, and letting the head of kernel security be able 
to actually enforce threats, as that seems to be the only way bugs ever get 
resolved.  Pleading didn't work - I tried.

-Harlan Lieberman-Berg
Gentoo Developer Emeritus
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[C. Bergström]

On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > > What specific kernel knowledge is needed to get a Kernel advisory up
> > > and running ?
> >
> > Between becoming aware of a vulnerability in Linux and drafting an advisory
> > for one or all kernel sources comes the part where you review which
> > versions of which kernel sources are affected and unaffected. You also
> > need to pay attention to specifics of the added patchsets, which might
> > duplicate vulnerabilities.
> >
> > Parts of the job can indeed be done without Kernel and C knowledge, but
> > some cannot. So if we draft a new kernel security *team*, people without C
> > and kernel knowledge are helpful -- some others need to have it, though.
> >
> > Robert
> 
> To be honest, 99% of what is done in the kernel security team can be done with 
> no C knowledge at all.
> 
> I'm not an expert C person - far from it - but I eventually became the head of 
> Kernel Security until I retired a few months ago.
> 
> Most of it is bug handling.  The major problem is a social, not a technical 
> one.  Because of the manner in which our kernels are organized, a single 
> vulnerability involves checking upstream version numbers, coordinating them 
> into our downstream version numbers for all sources, checking to see if the 
> sources are effected, figuring out who to CC for the bugs, then harassing 
> them until they do it.
> 
> Unlike other security sources, any attempt to hardmask the package is shutdown 
> instantly.  The chaos that would result from a kernel hardmask, even one of 
> the lesser used ones, caused me to only successfully order one over my entire 
> career in Gentoo Kernsec... even though more around 30 would have been 
> needed.  It is not infrequently that bugs will last six months without any 
> action coming about them, and users are blissfully unaware.
> 
> I am happy to give my input as the former head of Kernel Security, but it is 
> my personal opinion that any advances in kernel security will require the 
> full cooperation of security, and letting the head of kernel security be able 
> to actually enforce threats, as that seems to be the only way bugs ever get 
> resolved.  Pleading didn't work - I tried.

Very insightful. thanks..  I've no time to spare at the moment so just
trying to brainstorm out loud.  Outside of the hardened kernel what and
the various foo-kernel what's the benefit of not just playing
follow-the-leader.  Maybe it's possible to just copy something more well
maintained.. RH, Debian.. It would require Kernel security maintain a
kernel, but then you'd never have to fight the maintainer when you issue
a security fix which was pushed from upstream.  RH and friend would even
guarantee it doesn't break things to some extent.  I'm sure this has
been thought of before, but not sure why it's not adopted....

./C

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Ned Ludd]

On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > > What specific kernel knowledge is needed to get a Kernel advisory up
> > > and running ?
> >
> > Between becoming aware of a vulnerability in Linux and drafting an advisory
> > for one or all kernel sources comes the part where you review which
> > versions of which kernel sources are affected and unaffected. You also
> > need to pay attention to specifics of the added patchsets, which might
> > duplicate vulnerabilities.
> >
> > Parts of the job can indeed be done without Kernel and C knowledge, but
> > some cannot. So if we draft a new kernel security *team*, people without C
> > and kernel knowledge are helpful -- some others need to have it, though.
> >
> > Robert
> 
> To be honest, 99% of what is done in the kernel security team can be done with 
> no C knowledge at all.
> 
> I'm not an expert C person - far from it - but I eventually became the head of 
> Kernel Security until I retired a few months ago.
> 
> Most of it is bug handling.  The major problem is a social, not a technical 
> one.  Because of the manner in which our kernels are organized, a single 
> vulnerability involves checking upstream version numbers, coordinating them 
> into our downstream version numbers for all sources, checking to see if the 
> sources are effected, figuring out who to CC for the bugs, then harassing 
> them until they do it.
> 
> Unlike other security sources, any attempt to hardmask the package is shutdown 
> instantly.  The chaos that would result from a kernel hardmask, even one of 
> the lesser used ones, caused me to only successfully order one over my entire 
> career in Gentoo Kernsec... even though more around 30 would have been 
> needed.  It is not infrequently that bugs will last six months without any 
> action coming about them, and users are blissfully unaware.
> 
> I am happy to give my input as the former head of Kernel Security, but it is 
> my personal opinion that any advances in kernel security will require the 
> full cooperation of security, and letting the head of kernel security be able 
> to actually enforce threats, as that seems to be the only way bugs ever get 
> resolved.  Pleading didn't work - I tried.
> 
> -Harlan Lieberman-Berg
> Gentoo Developer Emeritus


Every word of what you said is painfully true. The only way to
accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
who do nothing but patch and push new kernels and the PR that goes along
with them every few days.
-- 
Ned Ludd <solar@gentoo.org>

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Eduardo Tongson]

Alright how do we proceed to get this team started.

  ed*eonsec

On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>
>
>  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>  > > > What specific kernel knowledge is needed to get a Kernel advisory up
>  > > > and running ?
>  > >
>  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
>  > > for one or all kernel sources comes the part where you review which
>  > > versions of which kernel sources are affected and unaffected. You also
>  > > need to pay attention to specifics of the added patchsets, which might
>  > > duplicate vulnerabilities.
>  > >
>  > > Parts of the job can indeed be done without Kernel and C knowledge, but
>  > > some cannot. So if we draft a new kernel security *team*, people without C
>  > > and kernel knowledge are helpful -- some others need to have it, though.
>  > >
>  > > Robert
>  >
>  > To be honest, 99% of what is done in the kernel security team can be done with
>  > no C knowledge at all.
>  >
>  > I'm not an expert C person - far from it - but I eventually became the head of
>  > Kernel Security until I retired a few months ago.
>  >
>  > Most of it is bug handling.  The major problem is a social, not a technical
>  > one.  Because of the manner in which our kernels are organized, a single
>  > vulnerability involves checking upstream version numbers, coordinating them
>  > into our downstream version numbers for all sources, checking to see if the
>  > sources are effected, figuring out who to CC for the bugs, then harassing
>  > them until they do it.
>  >
>  > Unlike other security sources, any attempt to hardmask the package is shutdown
>  > instantly.  The chaos that would result from a kernel hardmask, even one of
>  > the lesser used ones, caused me to only successfully order one over my entire
>  > career in Gentoo Kernsec... even though more around 30 would have been
>  > needed.  It is not infrequently that bugs will last six months without any
>  > action coming about them, and users are blissfully unaware.
>  >
>  > I am happy to give my input as the former head of Kernel Security, but it is
>  > my personal opinion that any advances in kernel security will require the
>  > full cooperation of security, and letting the head of kernel security be able
>  > to actually enforce threats, as that seems to be the only way bugs ever get
>  > resolved.  Pleading didn't work - I tried.
>  >
>  > -Harlan Lieberman-Berg
>  > Gentoo Developer Emeritus
>
>
>  Every word of what you said is painfully true. The only way to
>  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
>  who do nothing but patch and push new kernels and the PR that goes along
>  with them every few days.
>  --
>  Ned Ludd <solar@gentoo.org>
>
>
>
>  --
>  gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Casey Link]

It would probably help if we knew how many people were interested.

I am. +1

Casey

On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> wrote:
> Alright how do we proceed to get this team started.
>
>   ed*eonsec
>
>
>
>  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>  >
>  >
>  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>  >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
>  >  > > > and running ?
>  >  > >
>  >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
>  >  > > for one or all kernel sources comes the part where you review which
>  >  > > versions of which kernel sources are affected and unaffected. You also
>  >  > > need to pay attention to specifics of the added patchsets, which might
>  >  > > duplicate vulnerabilities.
>  >  > >
>  >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
>  >  > > some cannot. So if we draft a new kernel security *team*, people without C
>  >  > > and kernel knowledge are helpful -- some others need to have it, though.
>  >  > >
>  >  > > Robert
>  >  >
>  >  > To be honest, 99% of what is done in the kernel security team can be done with
>  >  > no C knowledge at all.
>  >  >
>  >  > I'm not an expert C person - far from it - but I eventually became the head of
>  >  > Kernel Security until I retired a few months ago.
>  >  >
>  >  > Most of it is bug handling.  The major problem is a social, not a technical
>  >  > one.  Because of the manner in which our kernels are organized, a single
>  >  > vulnerability involves checking upstream version numbers, coordinating them
>  >  > into our downstream version numbers for all sources, checking to see if the
>  >  > sources are effected, figuring out who to CC for the bugs, then harassing
>  >  > them until they do it.
>  >  >
>  >  > Unlike other security sources, any attempt to hardmask the package is shutdown
>  >  > instantly.  The chaos that would result from a kernel hardmask, even one of
>  >  > the lesser used ones, caused me to only successfully order one over my entire
>  >  > career in Gentoo Kernsec... even though more around 30 would have been
>  >  > needed.  It is not infrequently that bugs will last six months without any
>  >  > action coming about them, and users are blissfully unaware.
>  >  >
>  >  > I am happy to give my input as the former head of Kernel Security, but it is
>  >  > my personal opinion that any advances in kernel security will require the
>  >  > full cooperation of security, and letting the head of kernel security be able
>  >  > to actually enforce threats, as that seems to be the only way bugs ever get
>  >  > resolved.  Pleading didn't work - I tried.
>  >  >
>  >  > -Harlan Lieberman-Berg
>  >  > Gentoo Developer Emeritus
>  >
>  >
>  >  Every word of what you said is painfully true. The only way to
>  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
>  >  who do nothing but patch and push new kernels and the PR that goes along
>  >  with them every few days.
>  >  --
>  >  Ned Ludd <solar@gentoo.org>
>  >
>  >
>  >
>  >  --
>  >  gentoo-security@lists.gentoo.org mailing list
>  >
>  >
>  --
>  gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Juan Pablo Olivera]

I am interested too :)

No C knowledge but strong linux background and very organized guy.

On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> It would probably help if we knew how many people were interested.
> 
> I am. +1
> 
> Casey
> 
> On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> wrote:
> > Alright how do we proceed to get this team started.
> >
> >   ed*eonsec
> >
> >
> >
> >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
> >  >
> >  >
> >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> >  >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
> >  >  > > > and running ?
> >  >  > >
> >  >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
> >  >  > > for one or all kernel sources comes the part where you review which
> >  >  > > versions of which kernel sources are affected and unaffected. You also
> >  >  > > need to pay attention to specifics of the added patchsets, which might
> >  >  > > duplicate vulnerabilities.
> >  >  > >
> >  >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
> >  >  > > some cannot. So if we draft a new kernel security *team*, people without C
> >  >  > > and kernel knowledge are helpful -- some others need to have it, though.
> >  >  > >
> >  >  > > Robert
> >  >  >
> >  >  > To be honest, 99% of what is done in the kernel security team can be done with
> >  >  > no C knowledge at all.
> >  >  >
> >  >  > I'm not an expert C person - far from it - but I eventually became the head of
> >  >  > Kernel Security until I retired a few months ago.
> >  >  >
> >  >  > Most of it is bug handling.  The major problem is a social, not a technical
> >  >  > one.  Because of the manner in which our kernels are organized, a single
> >  >  > vulnerability involves checking upstream version numbers, coordinating them
> >  >  > into our downstream version numbers for all sources, checking to see if the
> >  >  > sources are effected, figuring out who to CC for the bugs, then harassing
> >  >  > them until they do it.
> >  >  >
> >  >  > Unlike other security sources, any attempt to hardmask the package is shutdown
> >  >  > instantly.  The chaos that would result from a kernel hardmask, even one of
> >  >  > the lesser used ones, caused me to only successfully order one over my entire
> >  >  > career in Gentoo Kernsec... even though more around 30 would have been
> >  >  > needed.  It is not infrequently that bugs will last six months without any
> >  >  > action coming about them, and users are blissfully unaware.
> >  >  >
> >  >  > I am happy to give my input as the former head of Kernel Security, but it is
> >  >  > my personal opinion that any advances in kernel security will require the
> >  >  > full cooperation of security, and letting the head of kernel security be able
> >  >  > to actually enforce threats, as that seems to be the only way bugs ever get
> >  >  > resolved.  Pleading didn't work - I tried.
> >  >  >
> >  >  > -Harlan Lieberman-Berg
> >  >  > Gentoo Developer Emeritus
> >  >
> >  >
> >  >  Every word of what you said is painfully true. The only way to
> >  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
> >  >  who do nothing but patch and push new kernels and the PR that goes along
> >  >  with them every few days.
> >  >  --
> >  >  Ned Ludd <solar@gentoo.org>
> >  >
> >  >
> >  >
> >  >  --
> >  >  gentoo-security@lists.gentoo.org mailing list
> >  >
> >  >
> >  --
> >  gentoo-security@lists.gentoo.org mailing list
> >
> >

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Arthur Bispo de Castro]

I'm interested... little C knowledge, very curious about kernel, strong
linux background...

is there another prereq to join this?

On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
> I am interested too :)
> 
> No C knowledge but strong linux background and very organized guy.
> 
> On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> > It would probably help if we knew how many people were interested.
> > 
> > I am. +1
> > 
> > Casey
> > 
> > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> wrote:
> > > Alright how do we proceed to get this team started.
> > >
> > >   ed*eonsec
> > >
> > >
> > >
> > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
> > >  >
> > >  >
> > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > >  >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
> > >  >  > > > and running ?
> > >  >  > >
> > >  >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
> > >  >  > > for one or all kernel sources comes the part where you review which
> > >  >  > > versions of which kernel sources are affected and unaffected. You also
> > >  >  > > need to pay attention to specifics of the added patchsets, which might
> > >  >  > > duplicate vulnerabilities.
> > >  >  > >
> > >  >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
> > >  >  > > some cannot. So if we draft a new kernel security *team*, people without C
> > >  >  > > and kernel knowledge are helpful -- some others need to have it, though.
> > >  >  > >
> > >  >  > > Robert
> > >  >  >
> > >  >  > To be honest, 99% of what is done in the kernel security team can be done with
> > >  >  > no C knowledge at all.
> > >  >  >
> > >  >  > I'm not an expert C person - far from it - but I eventually became the head of
> > >  >  > Kernel Security until I retired a few months ago.
> > >  >  >
> > >  >  > Most of it is bug handling.  The major problem is a social, not a technical
> > >  >  > one.  Because of the manner in which our kernels are organized, a single
> > >  >  > vulnerability involves checking upstream version numbers, coordinating them
> > >  >  > into our downstream version numbers for all sources, checking to see if the
> > >  >  > sources are effected, figuring out who to CC for the bugs, then harassing
> > >  >  > them until they do it.
> > >  >  >
> > >  >  > Unlike other security sources, any attempt to hardmask the package is shutdown
> > >  >  > instantly.  The chaos that would result from a kernel hardmask, even one of
> > >  >  > the lesser used ones, caused me to only successfully order one over my entire
> > >  >  > career in Gentoo Kernsec... even though more around 30 would have been
> > >  >  > needed.  It is not infrequently that bugs will last six months without any
> > >  >  > action coming about them, and users are blissfully unaware.
> > >  >  >
> > >  >  > I am happy to give my input as the former head of Kernel Security, but it is
> > >  >  > my personal opinion that any advances in kernel security will require the
> > >  >  > full cooperation of security, and letting the head of kernel security be able
> > >  >  > to actually enforce threats, as that seems to be the only way bugs ever get
> > >  >  > resolved.  Pleading didn't work - I tried.
> > >  >  >
> > >  >  > -Harlan Lieberman-Berg
> > >  >  > Gentoo Developer Emeritus
> > >  >
> > >  >
> > >  >  Every word of what you said is painfully true. The only way to
> > >  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
> > >  >  who do nothing but patch and push new kernels and the PR that goes along
> > >  >  with them every few days.
> > >  >  --
> > >  >  Ned Ludd <solar@gentoo.org>
> > >  >
> > >  >
> > >  >
> > >  >  --
> > >  >  gentoo-security@lists.gentoo.org mailing list
> > >  >
> > >  >
> > >  --
> > >  gentoo-security@lists.gentoo.org mailing list
> > >
> > >
> 
> -- 
> gentoo-security@lists.gentoo.org mailing list

-- 
Arthur Bispo de Castro
Laboratório de Administração e Segurança (LAS/IC)
Universidade Estadual de Campinas (UNICAMP)
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[nick loeve]

I can help also... i have limited free time but am willing to put in
some hours...

I have medium C knowledge, reasonable kernel experience, and also a
strong linux background

On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
<arthur@las.ic.unicamp.br> wrote:
> I'm interested... little C knowledge, very curious about kernel, strong
>  linux background...
>
>  is there another prereq to join this?
>
>
>
>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
>  > I am interested too :)
>  >
>  > No C knowledge but strong linux background and very organized guy.
>  >
>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
>  > > It would probably help if we knew how many people were interested.
>  > >
>  > > I am. +1
>  > >
>  > > Casey
>  > >
>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> wrote:
>  > > > Alright how do we proceed to get this team started.
>  > > >
>  > > >   ed*eonsec
>  > > >
>  > > >
>  > > >
>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>  > > >  >
>  > > >  >
>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>  > > >  >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
>  > > >  >  > > > and running ?
>  > > >  >  > >
>  > > >  >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
>  > > >  >  > > for one or all kernel sources comes the part where you review which
>  > > >  >  > > versions of which kernel sources are affected and unaffected. You also
>  > > >  >  > > need to pay attention to specifics of the added patchsets, which might
>  > > >  >  > > duplicate vulnerabilities.
>  > > >  >  > >
>  > > >  >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
>  > > >  >  > > some cannot. So if we draft a new kernel security *team*, people without C
>  > > >  >  > > and kernel knowledge are helpful -- some others need to have it, though.
>  > > >  >  > >
>  > > >  >  > > Robert
>  > > >  >  >
>  > > >  >  > To be honest, 99% of what is done in the kernel security team can be done with
>  > > >  >  > no C knowledge at all.
>  > > >  >  >
>  > > >  >  > I'm not an expert C person - far from it - but I eventually became the head of
>  > > >  >  > Kernel Security until I retired a few months ago.
>  > > >  >  >
>  > > >  >  > Most of it is bug handling.  The major problem is a social, not a technical
>  > > >  >  > one.  Because of the manner in which our kernels are organized, a single
>  > > >  >  > vulnerability involves checking upstream version numbers, coordinating them
>  > > >  >  > into our downstream version numbers for all sources, checking to see if the
>  > > >  >  > sources are effected, figuring out who to CC for the bugs, then harassing
>  > > >  >  > them until they do it.
>  > > >  >  >
>  > > >  >  > Unlike other security sources, any attempt to hardmask the package is shutdown
>  > > >  >  > instantly.  The chaos that would result from a kernel hardmask, even one of
>  > > >  >  > the lesser used ones, caused me to only successfully order one over my entire
>  > > >  >  > career in Gentoo Kernsec... even though more around 30 would have been
>  > > >  >  > needed.  It is not infrequently that bugs will last six months without any
>  > > >  >  > action coming about them, and users are blissfully unaware.
>  > > >  >  >
>  > > >  >  > I am happy to give my input as the former head of Kernel Security, but it is
>  > > >  >  > my personal opinion that any advances in kernel security will require the
>  > > >  >  > full cooperation of security, and letting the head of kernel security be able
>  > > >  >  > to actually enforce threats, as that seems to be the only way bugs ever get
>  > > >  >  > resolved.  Pleading didn't work - I tried.
>  > > >  >  >
>  > > >  >  > -Harlan Lieberman-Berg
>  > > >  >  > Gentoo Developer Emeritus
>  > > >  >
>  > > >  >
>  > > >  >  Every word of what you said is painfully true. The only way to
>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
>  > > >  >  who do nothing but patch and push new kernels and the PR that goes along
>  > > >  >  with them every few days.
>  > > >  >  --
>  > > >  >  Ned Ludd <solar@gentoo.org>
>  > > >  >
>  > > >  >
>  > > >  >
>  > > >  >  --
>  > > >  >  gentoo-security@lists.gentoo.org mailing list
>  > > >  >
>  > > >  >
>  > > >  --
>  > > >  gentoo-security@lists.gentoo.org mailing list
>  > > >
>  > > >
>  >
>  > --
>  > gentoo-security@lists.gentoo.org mailing list
>
>  --
>  Arthur Bispo de Castro
>  Laboratório de Administração e Segurança (LAS/IC)
>  Universidade Estadual de Campinas (UNICAMP)
>  --
>
>
> gentoo-security@lists.gentoo.org mailing list
>
>



-- 
Nick Loeve
www.trickie.org

Re: [gentoo-security] Kernel Security + KISS

[George Prowse]

Im interested, no C knowledge but plenty of time, passed the dev exam 
and a willingness to learn. It's been on my agenda for a long time.

nick loeve wrote:
> I can help also... i have limited free time but am willing to put in
> some hours...
> 
> I have medium C knowledge, reasonable kernel experience, and also a
> strong linux background
> 
> On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
> <arthur@las.ic.unicamp.br> wrote:
>> I'm interested... little C knowledge, very curious about kernel, strong
>>  linux background...
>>
>>  is there another prereq to join this?
>>
>>
>>
>>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
>>  > I am interested too :)
>>  >
>>  > No C knowledge but strong linux background and very organized guy.
>>  >
>>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
>>  > > It would probably help if we knew how many people were interested.
>>  > >
>>  > > I am. +1
>>  > >
>>  > > Casey
>>  > >
>>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> wrote:
>>  > > > Alright how do we proceed to get this team started.
>>  > > >
>>  > > >   ed*eonsec
>>  > > >
>>  > > >
>>  > > >
>>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>>  > > >  >
>>  > > >  >
>>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>>  > > >  >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
>>  > > >  >  > > > and running ?
>>  > > >  >  > >
>>  > > >  >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
>>  > > >  >  > > for one or all kernel sources comes the part where you review which
>>  > > >  >  > > versions of which kernel sources are affected and unaffected. You also
>>  > > >  >  > > need to pay attention to specifics of the added patchsets, which might
>>  > > >  >  > > duplicate vulnerabilities.
>>  > > >  >  > >
>>  > > >  >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
>>  > > >  >  > > some cannot. So if we draft a new kernel security *team*, people without C
>>  > > >  >  > > and kernel knowledge are helpful -- some others need to have it, though.
>>  > > >  >  > >
>>  > > >  >  > > Robert
>>  > > >  >  >
>>  > > >  >  > To be honest, 99% of what is done in the kernel security team can be done with
>>  > > >  >  > no C knowledge at all.
>>  > > >  >  >
>>  > > >  >  > I'm not an expert C person - far from it - but I eventually became the head of
>>  > > >  >  > Kernel Security until I retired a few months ago.
>>  > > >  >  >
>>  > > >  >  > Most of it is bug handling.  The major problem is a social, not a technical
>>  > > >  >  > one.  Because of the manner in which our kernels are organized, a single
>>  > > >  >  > vulnerability involves checking upstream version numbers, coordinating them
>>  > > >  >  > into our downstream version numbers for all sources, checking to see if the
>>  > > >  >  > sources are effected, figuring out who to CC for the bugs, then harassing
>>  > > >  >  > them until they do it.
>>  > > >  >  >
>>  > > >  >  > Unlike other security sources, any attempt to hardmask the package is shutdown
>>  > > >  >  > instantly.  The chaos that would result from a kernel hardmask, even one of
>>  > > >  >  > the lesser used ones, caused me to only successfully order one over my entire
>>  > > >  >  > career in Gentoo Kernsec... even though more around 30 would have been
>>  > > >  >  > needed.  It is not infrequently that bugs will last six months without any
>>  > > >  >  > action coming about them, and users are blissfully unaware.
>>  > > >  >  >
>>  > > >  >  > I am happy to give my input as the former head of Kernel Security, but it is
>>  > > >  >  > my personal opinion that any advances in kernel security will require the
>>  > > >  >  > full cooperation of security, and letting the head of kernel security be able
>>  > > >  >  > to actually enforce threats, as that seems to be the only way bugs ever get
>>  > > >  >  > resolved.  Pleading didn't work - I tried.
>>  > > >  >  >
>>  > > >  >  > -Harlan Lieberman-Berg
>>  > > >  >  > Gentoo Developer Emeritus
>>  > > >  >
>>  > > >  >
>>  > > >  >  Every word of what you said is painfully true. The only way to
>>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
>>  > > >  >  who do nothing but patch and push new kernels and the PR that goes along
>>  > > >  >  with them every few days.
>>  > > >  >  --
>>  > > >  >  Ned Ludd <solar@gentoo.org>
>>  > > >  >
>>  > > >  >
>>  > > >  >
>>  > > >  >  --
>>  > > >  >  gentoo-security@lists.gentoo.org mailing list
>>  > > >  >
>>  > > >  >
>>  > > >  --
>>  > > >  gentoo-security@lists.gentoo.org mailing list
>>  > > >
>>  > > >
>>  >
>>  > --
>>  > gentoo-security@lists.gentoo.org mailing list
>>
>>  --
>>  Arthur Bispo de Castro
>>  Laboratório de Administração e Segurança (LAS/IC)
>>  Universidade Estadual de Campinas (UNICAMP)
>>  --
>>
>>
>> gentoo-security@lists.gentoo.org mailing list
>>
>>
> 
> 
> 

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Robert Joslyn]

[-- Attachment #1: Type: text/plain, Size: 6022 bytes --]

I would like to help as well.  I have limited C experience unfortunately,
and most of that is programming PIC microcontrollers.  Been using Gentoo for
years, and would love to give something back.


Robert


On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@gmail.com> wrote:

> Im interested, no C knowledge but plenty of time, passed the dev exam
> and a willingness to learn. It's been on my agenda for a long time.
>
> nick loeve wrote:
> > I can help also... i have limited free time but am willing to put in
> > some hours...
> >
> > I have medium C knowledge, reasonable kernel experience, and also a
> > strong linux background
> >
> > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
> > <arthur@las.ic.unicamp.br> wrote:
> >> I'm interested... little C knowledge, very curious about kernel, strong
> >>  linux background...
> >>
> >>  is there another prereq to join this?
> >>
> >>
> >>
> >>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
> >>  > I am interested too :)
> >>  >
> >>  > No C knowledge but strong linux background and very organized guy.
> >>  >
> >>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> >>  > > It would probably help if we knew how many people were interested.
> >>  > >
> >>  > > I am. +1
> >>  > >
> >>  > > Casey
> >>  > >
> >>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <
> propolice@gmail.com> wrote:
> >>  > > > Alright how do we proceed to get this team started.
> >>  > > >
> >>  > > >   ed*eonsec
> >>  > > >
> >>  > > >
> >>  > > >
> >>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org>
> wrote:
> >>  > > >  >
> >>  > > >  >
> >>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
> wrote:
> >>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> >>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> >>  > > >  >  > > > What specific kernel knowledge is needed to get a
> Kernel advisory up
> >>  > > >  >  > > > and running ?
> >>  > > >  >  > >
> >>  > > >  >  > > Between becoming aware of a vulnerability in Linux and
> drafting an advisory
> >>  > > >  >  > > for one or all kernel sources comes the part where you
> review which
> >>  > > >  >  > > versions of which kernel sources are affected and
> unaffected. You also
> >>  > > >  >  > > need to pay attention to specifics of the added
> patchsets, which might
> >>  > > >  >  > > duplicate vulnerabilities.
> >>  > > >  >  > >
> >>  > > >  >  > > Parts of the job can indeed be done without Kernel and C
> knowledge, but
> >>  > > >  >  > > some cannot. So if we draft a new kernel security
> *team*, people without C
> >>  > > >  >  > > and kernel knowledge are helpful -- some others need to
> have it, though.
> >>  > > >  >  > >
> >>  > > >  >  > > Robert
> >>  > > >  >  >
> >>  > > >  >  > To be honest, 99% of what is done in the kernel security
> team can be done with
> >>  > > >  >  > no C knowledge at all.
> >>  > > >  >  >
> >>  > > >  >  > I'm not an expert C person - far from it - but I
> eventually became the head of
> >>  > > >  >  > Kernel Security until I retired a few months ago.
> >>  > > >  >  >
> >>  > > >  >  > Most of it is bug handling.  The major problem is a
> social, not a technical
> >>  > > >  >  > one.  Because of the manner in which our kernels are
> organized, a single
> >>  > > >  >  > vulnerability involves checking upstream version numbers,
> coordinating them
> >>  > > >  >  > into our downstream version numbers for all sources,
> checking to see if the
> >>  > > >  >  > sources are effected, figuring out who to CC for the bugs,
> then harassing
> >>  > > >  >  > them until they do it.
> >>  > > >  >  >
> >>  > > >  >  > Unlike other security sources, any attempt to hardmask the
> package is shutdown
> >>  > > >  >  > instantly.  The chaos that would result from a kernel
> hardmask, even one of
> >>  > > >  >  > the lesser used ones, caused me to only successfully order
> one over my entire
> >>  > > >  >  > career in Gentoo Kernsec... even though more around 30
> would have been
> >>  > > >  >  > needed.  It is not infrequently that bugs will last six
> months without any
> >>  > > >  >  > action coming about them, and users are blissfully
> unaware.
> >>  > > >  >  >
> >>  > > >  >  > I am happy to give my input as the former head of Kernel
> Security, but it is
> >>  > > >  >  > my personal opinion that any advances in kernel security
> will require the
> >>  > > >  >  > full cooperation of security, and letting the head of
> kernel security be able
> >>  > > >  >  > to actually enforce threats, as that seems to be the only
> way bugs ever get
> >>  > > >  >  > resolved.  Pleading didn't work - I tried.
> >>  > > >  >  >
> >>  > > >  >  > -Harlan Lieberman-Berg
> >>  > > >  >  > Gentoo Developer Emeritus
> >>  > > >  >
> >>  > > >  >
> >>  > > >  >  Every word of what you said is painfully true. The only way
> to
> >>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team
> of ~15 guys
> >>  > > >  >  who do nothing but patch and push new kernels and the PR
> that goes along
> >>  > > >  >  with them every few days.
> >>  > > >  >  --
> >>  > > >  >  Ned Ludd <solar@gentoo.org>
> >>  > > >  >
> >>  > > >  >
> >>  > > >  >
> >>  > > >  >  --
> >>  > > >  >  gentoo-security@lists.gentoo.org mailing list
> >>  > > >  >
> >>  > > >  >
> >>  > > >  --
> >>  > > >  gentoo-security@lists.gentoo.org mailing list
> >>  > > >
> >>  > > >
> >>  >
> >>  > --
> >>  > gentoo-security@lists.gentoo.org mailing list
> >>
> >>  --
> >>  Arthur Bispo de Castro
> >>  Laboratório de Administração e Segurança (LAS/IC)
> >>  Universidade Estadual de Campinas (UNICAMP)
> >>  --
> >>
> >>
> >> gentoo-security@lists.gentoo.org mailing list
> >>
> >>
> >
> >
> >
>
> --
> gentoo-security@lists.gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 9856 bytes --]

Re: [gentoo-security] Kernel Security + KISS

[Casey Link]

A couple days ago I discussed (in #gentoo-security) with Robert
(rbu@g.o) a solution
to the Kernel security issue. Robert has a good plan to keep the
bugzilla data in bugzilla, that is, don't take away the essentials
from bugzilla. And that is by implementing a tagging system for each
bug. In the whiteboard field for each bug could go something like so
(this is taken from our IRC convo):
[linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
Which would translate as kernel.org upstream released 2.6.22 with a
fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
2.6.18-r2 with the patch applied.

A tool could then be written to parse the bugzilla entries and
generate reports. Then when all the sources have been patched a GLSA
can be released.
I like this idea because all the data stays in bugzilla, so you can go
to bugzilla and get all the information you need about each bug.

I don't see why this tool cannot be available for users to.. in the
same form that KISS was. I came across these screenshots:
http://dev.gentoo.org/~dsd/misc/kiss1.jpg
http://dev.gentoo.org/~dsd/misc/kiss2.jpg

What if KISS was an external tool like shown in those pictures, but
parsed the bugzilla entries and generated reports like I talked about
above. Robert's  whiteboard tagging system is a great one, but the
system needs a way to view the status of all the sources together and
individually similarly to what is show in those screenshots.. and why
not make this a website? A single GLSA could still be released per bug
once all sources had been patched, but KISS could be a place for users
to go (if they feel so inclined) to get an overall and granular status
report of the various sources in portage.

Perhaps KISS could offer an email notification option. A user could
"subscribe" to several sources and be notified about their security
status. The user could even specify what sort of information he
wanted: vulnerability report, severity levels, patches released, etc.

Those are just some thoughts I had. I already tossed my hat in but
I've got medium C experience, and I am pretty experienced with hosting
setups, and simple web development (PHP mainly). I would be willing to
work on something like I described above.. bugzilla parsing, a nice
Web display, etc.

Casey


On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@gmail.com> wrote:
> I would like to help as well.  I have limited C experience unfortunately,
> and most of that is programming PIC microcontrollers.  Been using Gentoo for
> years, and would love to give something back.
>
>
> Robert
>
>
>
>
> On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@gmail.com> wrote:
> > Im interested, no C knowledge but plenty of time, passed the dev exam
> > and a willingness to learn. It's been on my agenda for a long time.
> >
> >
> >
> >
> > nick loeve wrote:
> > > I can help also... i have limited free time but am willing to put in
> > > some hours...
> > >
> > > I have medium C knowledge, reasonable kernel experience, and also a
> > > strong linux background
> > >
> > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
> > > <arthur@las.ic.unicamp.br> wrote:
> > >> I'm interested... little C knowledge, very curious about kernel, strong
> > >>  linux background...
> > >>
> > >>  is there another prereq to join this?
> > >>
> > >>
> > >>
> > >>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
> > >>  > I am interested too :)
> > >>  >
> > >>  > No C knowledge but strong linux background and very organized guy.
> > >>  >
> > >>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
> > >>  > > It would probably help if we knew how many people were interested.
> > >>  > >
> > >>  > > I am. +1
> > >>  > >
> > >>  > > Casey
> > >>  > >
> > >>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
> <propolice@gmail.com> wrote:
> > >>  > > > Alright how do we proceed to get this team started.
> > >>  > > >
> > >>  > > >   ed*eonsec
> > >>  > > >
> > >>  > > >
> > >>  > > >
> > >>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org>
> wrote:
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
> wrote:
> > >>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> > >>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> > >>  > > >  >  > > > What specific kernel knowledge is needed to get a
> Kernel advisory up
> > >>  > > >  >  > > > and running ?
> > >>  > > >  >  > >
> > >>  > > >  >  > > Between becoming aware of a vulnerability in Linux and
> drafting an advisory
> > >>  > > >  >  > > for one or all kernel sources comes the part where you
> review which
> > >>  > > >  >  > > versions of which kernel sources are affected and
> unaffected. You also
> > >>  > > >  >  > > need to pay attention to specifics of the added
> patchsets, which might
> > >>  > > >  >  > > duplicate vulnerabilities.
> > >>  > > >  >  > >
> > >>  > > >  >  > > Parts of the job can indeed be done without Kernel and C
> knowledge, but
> > >>  > > >  >  > > some cannot. So if we draft a new kernel security
> *team*, people without C
> > >>  > > >  >  > > and kernel knowledge are helpful -- some others need to
> have it, though.
> > >>  > > >  >  > >
> > >>  > > >  >  > > Robert
> > >>  > > >  >  >
> > >>  > > >  >  > To be honest, 99% of what is done in the kernel security
> team can be done with
> > >>  > > >  >  > no C knowledge at all.
> > >>  > > >  >  >
> > >>  > > >  >  > I'm not an expert C person - far from it - but I
> eventually became the head of
> > >>  > > >  >  > Kernel Security until I retired a few months ago.
> > >>  > > >  >  >
> > >>  > > >  >  > Most of it is bug handling.  The major problem is a
> social, not a technical
> > >>  > > >  >  > one.  Because of the manner in which our kernels are
> organized, a single
> > >>  > > >  >  > vulnerability involves checking upstream version numbers,
> coordinating them
> > >>  > > >  >  > into our downstream version numbers for all sources,
> checking to see if the
> > >>  > > >  >  > sources are effected, figuring out who to CC for the bugs,
> then harassing
> > >>  > > >  >  > them until they do it.
> > >>  > > >  >  >
> > >>  > > >  >  > Unlike other security sources, any attempt to hardmask the
> package is shutdown
> > >>  > > >  >  > instantly.  The chaos that would result from a kernel
> hardmask, even one of
> > >>  > > >  >  > the lesser used ones, caused me to only successfully order
> one over my entire
> > >>  > > >  >  > career in Gentoo Kernsec... even though more around 30
> would have been
> > >>  > > >  >  > needed.  It is not infrequently that bugs will last six
> months without any
> > >>  > > >  >  > action coming about them, and users are blissfully
> unaware.
> > >>  > > >  >  >
> > >>  > > >  >  > I am happy to give my input as the former head of Kernel
> Security, but it is
> > >>  > > >  >  > my personal opinion that any advances in kernel security
> will require the
> > >>  > > >  >  > full cooperation of security, and letting the head of
> kernel security be able
> > >>  > > >  >  > to actually enforce threats, as that seems to be the only
> way bugs ever get
> > >>  > > >  >  > resolved.  Pleading didn't work - I tried.
> > >>  > > >  >  >
> > >>  > > >  >  > -Harlan Lieberman-Berg
> > >>  > > >  >  > Gentoo Developer Emeritus
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  Every word of what you said is painfully true. The only way
> to
> > >>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team
> of ~15 guys
> > >>  > > >  >  who do nothing but patch and push new kernels and the PR
> that goes along
> > >>  > > >  >  with them every few days.
> > >>  > > >  >  --
> > >>  > > >  >  Ned Ludd <solar@gentoo.org>
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  >  --
> > >>  > > >  >  gentoo-security@lists.gentoo.org mailing list
> > >>  > > >  >
> > >>  > > >  >
> > >>  > > >  --
> > >>  > > >  gentoo-security@lists.gentoo.org mailing list
> > >>  > > >
> > >>  > > >
> > >>  >
> > >>  > --
> > >>  > gentoo-security@lists.gentoo.org mailing list
> > >>
> > >>  --
> > >>  Arthur Bispo de Castro
> > >>  Laboratório de Administração e Segurança (LAS/IC)
> > >>  Universidade Estadual de Campinas (UNICAMP)
> > >>  --
> > >>
> > >>
> > >> gentoo-security@lists.gentoo.org mailing list
> > >>
> > >>
> > >
> > >
> > >
> >
> > --
> > gentoo-security@lists.gentoo.org mailing list
> >
> >
>
>
--
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Eduardo Tongson]

Nice plan. I think you are more able to lead. Can we communicate more
in email perhaps a google group or list. IRC is not efficient for
people in different timezones.

  --  ed*eonsec

On Thu, Feb 21, 2008 at 9:35 PM, Casey Link <unnamedrambler@gmail.com> wrote:
> A couple days ago I discussed (in #gentoo-security) with Robert
>  (rbu@g.o) a solution
>  to the Kernel security issue. Robert has a good plan to keep the
>  bugzilla data in bugzilla, that is, don't take away the essentials
>  from bugzilla. And that is by implementing a tagging system for each
>  bug. In the whiteboard field for each bug could go something like so
>  (this is taken from our IRC convo):
>  [linux < 2.6.22] [genpatches < 2.6.20-3] [xen-sources < 2.6.18-r2]
>  Which would translate as kernel.org upstream released 2.6.22 with a
>  fix, genpatches released 2.6.20-3 with a fix, and xen-sources released
>  2.6.18-r2 with the patch applied.
>
>  A tool could then be written to parse the bugzilla entries and
>  generate reports. Then when all the sources have been patched a GLSA
>  can be released.
>  I like this idea because all the data stays in bugzilla, so you can go
>  to bugzilla and get all the information you need about each bug.
>
>  I don't see why this tool cannot be available for users to.. in the
>  same form that KISS was. I came across these screenshots:
>  http://dev.gentoo.org/~dsd/misc/kiss1.jpg
>  http://dev.gentoo.org/~dsd/misc/kiss2.jpg
>
>  What if KISS was an external tool like shown in those pictures, but
>  parsed the bugzilla entries and generated reports like I talked about
>  above. Robert's  whiteboard tagging system is a great one, but the
>  system needs a way to view the status of all the sources together and
>  individually similarly to what is show in those screenshots.. and why
>  not make this a website? A single GLSA could still be released per bug
>  once all sources had been patched, but KISS could be a place for users
>  to go (if they feel so inclined) to get an overall and granular status
>  report of the various sources in portage.
>
>  Perhaps KISS could offer an email notification option. A user could
>  "subscribe" to several sources and be notified about their security
>  status. The user could even specify what sort of information he
>  wanted: vulnerability report, severity levels, patches released, etc.
>
>  Those are just some thoughts I had. I already tossed my hat in but
>  I've got medium C experience, and I am pretty experienced with hosting
>  setups, and simple web development (PHP mainly). I would be willing to
>  work on something like I described above.. bugzilla parsing, a nice
>  Web display, etc.
>
>  Casey
>
>
>
>
>  On Thu, Feb 21, 2008 at 8:09 AM, Robert Joslyn <rjmars97@gmail.com> wrote:
>  > I would like to help as well.  I have limited C experience unfortunately,
>  > and most of that is programming PIC microcontrollers.  Been using Gentoo for
>  > years, and would love to give something back.
>  >
>  >
>  > Robert
>  >
>  >
>  >
>  >
>  > On Thu, Feb 21, 2008 at 4:34 AM, George Prowse <cokehabit@gmail.com> wrote:
>  > > Im interested, no C knowledge but plenty of time, passed the dev exam
>  > > and a willingness to learn. It's been on my agenda for a long time.
>  > >
>  > >
>  > >
>  > >
>  > > nick loeve wrote:
>  > > > I can help also... i have limited free time but am willing to put in
>  > > > some hours...
>  > > >
>  > > > I have medium C knowledge, reasonable kernel experience, and also a
>  > > > strong linux background
>  > > >
>  > > > On Thu, Feb 21, 2008 at 8:02 AM, Arthur Bispo de Castro
>  > > > <arthur@las.ic.unicamp.br> wrote:
>  > > >> I'm interested... little C knowledge, very curious about kernel, strong
>  > > >>  linux background...
>  > > >>
>  > > >>  is there another prereq to join this?
>  > > >>
>  > > >>
>  > > >>
>  > > >>  On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
>  > > >>  > I am interested too :)
>  > > >>  >
>  > > >>  > No C knowledge but strong linux background and very organized guy.
>  > > >>  >
>  > > >>  > On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
>  > > >>  > > It would probably help if we knew how many people were interested.
>  > > >>  > >
>  > > >>  > > I am. +1
>  > > >>  > >
>  > > >>  > > Casey
>  > > >>  > >
>  > > >>  > > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson
>  > <propolice@gmail.com> wrote:
>  > > >>  > > > Alright how do we proceed to get this team started.
>  > > >>  > > >
>  > > >>  > > >   ed*eonsec
>  > > >>  > > >
>  > > >>  > > >
>  > > >>  > > >
>  > > >>  > > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org>
>  > wrote:
>  > > >>  > > >  >
>  > > >>  > > >  >
>  > > >>  > > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg
>  > wrote:
>  > > >>  > > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>  > > >>  > > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>  > > >>  > > >  >  > > > What specific kernel knowledge is needed to get a
>  > Kernel advisory up
>  > > >>  > > >  >  > > > and running ?
>  > > >>  > > >  >  > >
>  > > >>  > > >  >  > > Between becoming aware of a vulnerability in Linux and
>  > drafting an advisory
>  > > >>  > > >  >  > > for one or all kernel sources comes the part where you
>  > review which
>  > > >>  > > >  >  > > versions of which kernel sources are affected and
>  > unaffected. You also
>  > > >>  > > >  >  > > need to pay attention to specifics of the added
>  > patchsets, which might
>  > > >>  > > >  >  > > duplicate vulnerabilities.
>  > > >>  > > >  >  > >
>  > > >>  > > >  >  > > Parts of the job can indeed be done without Kernel and C
>  > knowledge, but
>  > > >>  > > >  >  > > some cannot. So if we draft a new kernel security
>  > *team*, people without C
>  > > >>  > > >  >  > > and kernel knowledge are helpful -- some others need to
>  > have it, though.
>  > > >>  > > >  >  > >
>  > > >>  > > >  >  > > Robert
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > To be honest, 99% of what is done in the kernel security
>  > team can be done with
>  > > >>  > > >  >  > no C knowledge at all.
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > I'm not an expert C person - far from it - but I
>  > eventually became the head of
>  > > >>  > > >  >  > Kernel Security until I retired a few months ago.
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > Most of it is bug handling.  The major problem is a
>  > social, not a technical
>  > > >>  > > >  >  > one.  Because of the manner in which our kernels are
>  > organized, a single
>  > > >>  > > >  >  > vulnerability involves checking upstream version numbers,
>  > coordinating them
>  > > >>  > > >  >  > into our downstream version numbers for all sources,
>  > checking to see if the
>  > > >>  > > >  >  > sources are effected, figuring out who to CC for the bugs,
>  > then harassing
>  > > >>  > > >  >  > them until they do it.
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > Unlike other security sources, any attempt to hardmask the
>  > package is shutdown
>  > > >>  > > >  >  > instantly.  The chaos that would result from a kernel
>  > hardmask, even one of
>  > > >>  > > >  >  > the lesser used ones, caused me to only successfully order
>  > one over my entire
>  > > >>  > > >  >  > career in Gentoo Kernsec... even though more around 30
>  > would have been
>  > > >>  > > >  >  > needed.  It is not infrequently that bugs will last six
>  > months without any
>  > > >>  > > >  >  > action coming about them, and users are blissfully
>  > unaware.
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > I am happy to give my input as the former head of Kernel
>  > Security, but it is
>  > > >>  > > >  >  > my personal opinion that any advances in kernel security
>  > will require the
>  > > >>  > > >  >  > full cooperation of security, and letting the head of
>  > kernel security be able
>  > > >>  > > >  >  > to actually enforce threats, as that seems to be the only
>  > way bugs ever get
>  > > >>  > > >  >  > resolved.  Pleading didn't work - I tried.
>  > > >>  > > >  >  >
>  > > >>  > > >  >  > -Harlan Lieberman-Berg
>  > > >>  > > >  >  > Gentoo Developer Emeritus
>  > > >>  > > >  >
>  > > >>  > > >  >
>  > > >>  > > >  >  Every word of what you said is painfully true. The only way
>  > to
>  > > >>  > > >  >  accomplish this would be with an Iron Fist(fail) or a team
>  > of ~15 guys
>  > > >>  > > >  >  who do nothing but patch and push new kernels and the PR
>  > that goes along
>  > > >>  > > >  >  with them every few days.
>  > > >>  > > >  >  --
>  > > >>  > > >  >  Ned Ludd <solar@gentoo.org>
>  > > >>  > > >  >
>  > > >>  > > >  >
>  > > >>  > > >  >
>  > > >>  > > >  >  --
>  > > >>  > > >  >  gentoo-security@lists.gentoo.org mailing list
>  > > >>  > > >  >
>  > > >>  > > >  >
>  > > >>  > > >  --
>  > > >>  > > >  gentoo-security@lists.gentoo.org mailing list
>  > > >>  > > >
>  > > >>  > > >
>  > > >>  >
>  > > >>  > --
>  > > >>  > gentoo-security@lists.gentoo.org mailing list
>  > > >>
>  > > >>  --
>  > > >>  Arthur Bispo de Castro
>  > > >>  Laboratório de Administração e Segurança (LAS/IC)
>  > > >>  Universidade Estadual de Campinas (UNICAMP)
>  > > >>  --
>  > > >>
>  > > >>
>  > > >> gentoo-security@lists.gentoo.org mailing list
>  > > >>
>  > > >>
>  > > >
>  > > >
>  > > >
>  > >
>  > > --
>  > > gentoo-security@lists.gentoo.org mailing list
>  > >
>  > >
>  >
>  >
>  --
>
>
> gentoo-security@lists.gentoo.org mailing list
>
>

Re: [gentoo-security] Kernel Security + KISS

[George Prowse]

Eduardo Tongson wrote:
> Nice plan. I think you are more able to lead. Can we communicate more
> in email perhaps a google group or list. IRC is not efficient for
> people in different timezones.
> 
>   --  ed*eonsec
> 
I agree, a list or group would be better at pooling the people at your 
disposal
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[doppelgaenger]

George Prowse wrote:
> Eduardo Tongson wrote:
>> Nice plan. I think you are more able to lead. Can we communicate more
>> in email perhaps a google group or list. IRC is not efficient for
>> people in different timezones.
>>
>>   --  ed*eonsec
>>
> I agree, a list or group would be better at pooling the people at your
> disposal

I also think it would be a good idea to set up some requirements profile
so people can identify them self in some kind of matrix ?

I basically volunteer but not sure what use I could be with a background
as an ISO, limited time and basic C knowledge.

--doppelgaenger
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Eduardo Tongson]

Yes. We should each have assigned tasks which will depend on our
respective skill and trait.

  --  ed*eonsec

On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@gmail.com> wrote:
> George Prowse wrote:
>  > Eduardo Tongson wrote:
>  >> Nice plan. I think you are more able to lead. Can we communicate more
>  >> in email perhaps a google group or list. IRC is not efficient for
>  >> people in different timezones.
>  >>
>  >>   --  ed*eonsec
>  >>
>  > I agree, a list or group would be better at pooling the people at your
>  > disposal
>
>  I also think it would be a good idea to set up some requirements profile
>  so people can identify them self in some kind of matrix ?
>
>  I basically volunteer but not sure what use I could be with a background
>  as an ISO, limited time and basic C knowledge.
>
>  --doppelgaenger
>
>
> --
>  gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Casey Link]

Here are some day to day duties that will be need to get done.This
isn't exhaustive just the results of a few minutes of brainstorming:

* Stalking the places vulnerabilities are announced (CVE, mailing
lists, etc) to create the relevant bug.
* Determine which upstream (kernel.org) version has the fix and make
the whiteboard entry in bugzilla.
* Determine which sources are affected
* Nag kernel maintainers to patch their sources
* Find patches and discussion to link to the kernel maintainers to
ease their patching (and ideally encourage them to patch faster)
* As sources are patched update the whiteboard
* Release glsas of unaffected packages (?)

Some framework and specification needs to be laid, but that is a
general outline of the process I think. None of those duties require
programming experience at all. Of course crafting patches to send to
the kernel maintainers would be another helpful thing to do. Ideally
this would be made pretty simple with some nifty tools, however
manpower is going to be required regardless.

There are still the glaring issues of (1) the best way to notify users
of vulnerabilities, and (2) how to enforce rapid-ish response by
kernel maintainers. I think the best way to approach (2) is to be
amicable towards the maintainers. Point them in the right direction,
send them patches, etc., rather than spamming "OMG! Patch
foo-sources!" every day. Maybe we could give them candy or something.

Casey


On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@gmail.com> wrote:
> Yes. We should each have assigned tasks which will depend on our
>  respective skill and trait.
>
>   --  ed*eonsec
>
>
>
>  On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@gmail.com> wrote:
>  > George Prowse wrote:
>  >  > Eduardo Tongson wrote:
>  >  >> Nice plan. I think you are more able to lead. Can we communicate more
>  >  >> in email perhaps a google group or list. IRC is not efficient for
>  >  >> people in different timezones.
>  >  >>
>  >  >>   --  ed*eonsec
>  >  >>
>  >  > I agree, a list or group would be better at pooling the people at your
>  >  > disposal
>  >
>  >  I also think it would be a good idea to set up some requirements profile
>  >  so people can identify them self in some kind of matrix ?
>  >
>  >  I basically volunteer but not sure what use I could be with a background
>  >  as an ISO, limited time and basic C knowledge.
>  >
>  >  --doppelgaenger
>  >
>  >
>  > --
>  >  gentoo-security@lists.gentoo.org mailing list
>  >
>  >
>  --
>  gentoo-security@lists.gentoo.org mailing list
>
>
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Marc Riemer]

Am Donnerstag, den 21.02.2008, 22:55 -0500 schrieb Casey Link:
> vulnerabilities,

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Sune Kloppenborg Jeppesen]

On Friday 22 February 2008 04:55:17 Casey Link wrote:
> Here are some day to day duties that will be need to get done.This
> isn't exhaustive just the results of a few minutes of brainstorming:
>
> * Stalking the places vulnerabilities are announced (CVE, mailing
> lists, etc) to create the relevant bug.
The Security team is more or less already doing this. We could quite easily 
start filing kernel stuff again.

> * Determine which upstream (kernel.org) version has the fix and make
> the whiteboard entry in bugzilla.
> * Determine which sources are affected
> * Nag kernel maintainers to patch their sources
> * Find patches and discussion to link to the kernel maintainers to
> ease their patching (and ideally encourage them to patch faster)
> * As sources are patched update the whiteboard
> * Release glsas of unaffected packages (?)
The GLSA format/DTD per se was deemed unfit for kernel sources. I guess you 
could add what is needed to the Resolution section though.

>
> Some framework and specification needs to be laid, but that is a
> general outline of the process I think. None of those duties require
> programming experience at all. Of course crafting patches to send to
> the kernel maintainers would be another helpful thing to do. Ideally
> this would be made pretty simple with some nifty tools, however
> manpower is going to be required regardless.
>
> There are still the glaring issues of (1) the best way to notify users
> of vulnerabilities, and (2) how to enforce rapid-ish response by
> kernel maintainers. I think the best way to approach (2) is to be
> amicable towards the maintainers. Point them in the right direction,
> send them patches, etc., rather than spamming "OMG! Patch
> foo-sources!" every day. Maybe we could give them candy or something.
I think we should try to get all security supported kernel maintainers to 
abide by some timetable laid down in a coming kernel security policy. If 
kernel maintainers don't want to do that I guess their sources should go back 
to unstable. Before anything is final kernel maintainers and council should 
be consulted.

-- 
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team

>
> Casey
>
> On Thu, Feb 21, 2008 at 9:26 PM, Eduardo Tongson <propolice@gmail.com> 
wrote:
> > Yes. We should each have assigned tasks which will depend on our
> >  respective skill and trait.
> >
> >   --  ed*eonsec
> >
> >  On Fri, Feb 22, 2008 at 3:28 AM, doppelgaenger <bm2600@gmail.com> wrote:
> >  > George Prowse wrote:
> >  >  > Eduardo Tongson wrote:
> >  >  >> Nice plan. I think you are more able to lead. Can we communicate
> >  >  >> more in email perhaps a google group or list. IRC is not efficient
> >  >  >> for people in different timezones.
> >  >  >>
> >  >  >>   --  ed*eonsec
> >  >  >
> >  >  > I agree, a list or group would be better at pooling the people at
> >  >  > your disposal
> >  >
> >  >  I also think it would be a good idea to set up some requirements
> >  > profile so people can identify them self in some kind of matrix ?
> >  >
> >  >  I basically volunteer but not sure what use I could be with a
> >  > background as an ISO, limited time and basic C knowledge.
> >  >
> >  >  --doppelgaenger
> >  >
> >  >
> >  > --
> >  >  gentoo-security@lists.gentoo.org mailing list
> >
> >  --
> >  gentoo-security@lists.gentoo.org mailing list
-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Marcin Dylewski]

Hi All,

I am interested in contributing as well. Moderate C knowledge and strong 
linux background.

Regards,
Marcin

----- Original Message ----- 
From: "Arthur Bispo de Castro" <arthur@las.ic.unicamp.br>
To: <gentoo-security@lists.gentoo.org>
Sent: Thursday, February 21, 2008 8:02 AM
Subject: Re: [gentoo-security] Kernel Security + KISS


> I'm interested... little C knowledge, very curious about kernel, strong
> linux background...
>
> is there another prereq to join this?
>
> On Thu, Feb 21, 2008 at 04:20:02AM -0200, Juan Pablo Olivera wrote:
>> I am interested too :)
>>
>> No C knowledge but strong linux background and very organized guy.
>>
>> On Thu, 2008-02-21 at 01:05 -0500, Casey Link wrote:
>> > It would probably help if we knew how many people were interested.
>> >
>> > I am. +1
>> >
>> > Casey
>> >
>> > On Wed, Feb 20, 2008 at 10:16 PM, Eduardo Tongson <propolice@gmail.com> 
>> > wrote:
>> > > Alright how do we proceed to get this team started.
>> > >
>> > >   ed*eonsec
>> > >
>> > >
>> > >
>> > >  On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>> > >  >
>> > >  >
>> > >  >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>> > >  >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>> > >  >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>> > >  >  > > > What specific kernel knowledge is needed to get a Kernel 
>> > > advisory up
>> > >  >  > > > and running ?
>> > >  >  > >
>> > >  >  > > Between becoming aware of a vulnerability in Linux and 
>> > > drafting an advisory
>> > >  >  > > for one or all kernel sources comes the part where you review 
>> > > which
>> > >  >  > > versions of which kernel sources are affected and unaffected. 
>> > > You also
>> > >  >  > > need to pay attention to specifics of the added patchsets, 
>> > > which might
>> > >  >  > > duplicate vulnerabilities.
>> > >  >  > >
>> > >  >  > > Parts of the job can indeed be done without Kernel and C 
>> > > knowledge, but
>> > >  >  > > some cannot. So if we draft a new kernel security *team*, 
>> > > people without C
>> > >  >  > > and kernel knowledge are helpful -- some others need to have 
>> > > it, though.
>> > >  >  > >
>> > >  >  > > Robert
>> > >  >  >
>> > >  >  > To be honest, 99% of what is done in the kernel security team 
>> > > can be done with
>> > >  >  > no C knowledge at all.
>> > >  >  >
>> > >  >  > I'm not an expert C person - far from it - but I eventually 
>> > > became the head of
>> > >  >  > Kernel Security until I retired a few months ago.
>> > >  >  >
>> > >  >  > Most of it is bug handling.  The major problem is a social, not 
>> > > a technical
>> > >  >  > one.  Because of the manner in which our kernels are organized, 
>> > > a single
>> > >  >  > vulnerability involves checking upstream version numbers, 
>> > > coordinating them
>> > >  >  > into our downstream version numbers for all sources, checking 
>> > > to see if the
>> > >  >  > sources are effected, figuring out who to CC for the bugs, then 
>> > > harassing
>> > >  >  > them until they do it.
>> > >  >  >
>> > >  >  > Unlike other security sources, any attempt to hardmask the 
>> > > package is shutdown
>> > >  >  > instantly.  The chaos that would result from a kernel hardmask, 
>> > > even one of
>> > >  >  > the lesser used ones, caused me to only successfully order one 
>> > > over my entire
>> > >  >  > career in Gentoo Kernsec... even though more around 30 would 
>> > > have been
>> > >  >  > needed.  It is not infrequently that bugs will last six months 
>> > > without any
>> > >  >  > action coming about them, and users are blissfully unaware.
>> > >  >  >
>> > >  >  > I am happy to give my input as the former head of Kernel 
>> > > Security, but it is
>> > >  >  > my personal opinion that any advances in kernel security will 
>> > > require the
>> > >  >  > full cooperation of security, and letting the head of kernel 
>> > > security be able
>> > >  >  > to actually enforce threats, as that seems to be the only way 
>> > > bugs ever get
>> > >  >  > resolved.  Pleading didn't work - I tried.
>> > >  >  >
>> > >  >  > -Harlan Lieberman-Berg
>> > >  >  > Gentoo Developer Emeritus
>> > >  >
>> > >  >
>> > >  >  Every word of what you said is painfully true. The only way to
>> > >  >  accomplish this would be with an Iron Fist(fail) or a team of ~15 
>> > > guys
>> > >  >  who do nothing but patch and push new kernels and the PR that 
>> > > goes along
>> > >  >  with them every few days.
>> > >  >  --
>> > >  >  Ned Ludd <solar@gentoo.org>
>> > >  >
>> > >  >
>> > >  >
>> > >  >  --
>> > >  >  gentoo-security@lists.gentoo.org mailing list
>> > >  >
>> > >  >
>> > >  --
>> > >  gentoo-security@lists.gentoo.org mailing list
>> > >
>> > >
>>
>> -- 
>> gentoo-security@lists.gentoo.org mailing list
>
> -- 
> Arthur Bispo de Castro
> Laboratório de Administração e Segurança (LAS/IC)
> Universidade Estadual de Campinas (UNICAMP)
> -- 
> gentoo-security@lists.gentoo.org mailing list
> 

-- 
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Peter Hjalmarsson]

[-- Attachment #1: Type: text/plain, Size: 5033 bytes --]

AFAICS the thing missing is a leader. Someone to make a starting point
for the followers to make use of (not necessary inside of gentoo, I
believe it can always be integrated later if there are devs enough to
pick things up and integrate), a place for him to collect and keep list
and contact with interested people (also to keep "me too"-noise from
this list).

This does not even have to be a integrated gentoo solution, am I right?
Anybody having a hosting space could host a db with the
information/advisories.
And the hosting one could let anyone he/she trusts write info to that
db.
That db could be like "This vournable exists, these are the problems,
these are the workarounds/patches and there are no fixed kernel
versions/these kernel versions are fixed" where info could be updated as
they get along.
And anybody that has the time and skill could write a applications that
fetch info from this db about the currently running kernel and presents
the user with the text "No known vournables" or "These vournables
exists" with links to the information in the db about that advisory.
This way a user can run the application, get a message, read the
advisories and decide "I need to update to at least this version" or "I
do not need to update". 

The thing needed after that is persons to keep this db up to date and
maybe bug devs to get fixed versions into portage.
But these people needs a central collection point where they could
"meet" and start moving things.

And anybody can bug any dev in bugzilla if a kernel is not fixed, but
the chances over-worked devs will notice and be more helpful if you are
more helpful with what, when and why this kernel thing should be fixed
(i.e. come well prepared).


tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:
> Alright how do we proceed to get this team started.
> 
>   ed*eonsec
> 
> On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
> >
> >
> >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
> >  > > > and running ?
> >  > >
> >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
> >  > > for one or all kernel sources comes the part where you review which
> >  > > versions of which kernel sources are affected and unaffected. You also
> >  > > need to pay attention to specifics of the added patchsets, which might
> >  > > duplicate vulnerabilities.
> >  > >
> >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
> >  > > some cannot. So if we draft a new kernel security *team*, people without C
> >  > > and kernel knowledge are helpful -- some others need to have it, though.
> >  > >
> >  > > Robert
> >  >
> >  > To be honest, 99% of what is done in the kernel security team can be done with
> >  > no C knowledge at all.
> >  >
> >  > I'm not an expert C person - far from it - but I eventually became the head of
> >  > Kernel Security until I retired a few months ago.
> >  >
> >  > Most of it is bug handling.  The major problem is a social, not a technical
> >  > one.  Because of the manner in which our kernels are organized, a single
> >  > vulnerability involves checking upstream version numbers, coordinating them
> >  > into our downstream version numbers for all sources, checking to see if the
> >  > sources are effected, figuring out who to CC for the bugs, then harassing
> >  > them until they do it.
> >  >
> >  > Unlike other security sources, any attempt to hardmask the package is shutdown
> >  > instantly.  The chaos that would result from a kernel hardmask, even one of
> >  > the lesser used ones, caused me to only successfully order one over my entire
> >  > career in Gentoo Kernsec... even though more around 30 would have been
> >  > needed.  It is not infrequently that bugs will last six months without any
> >  > action coming about them, and users are blissfully unaware.
> >  >
> >  > I am happy to give my input as the former head of Kernel Security, but it is
> >  > my personal opinion that any advances in kernel security will require the
> >  > full cooperation of security, and letting the head of kernel security be able
> >  > to actually enforce threats, as that seems to be the only way bugs ever get
> >  > resolved.  Pleading didn't work - I tried.
> >  >
> >  > -Harlan Lieberman-Berg
> >  > Gentoo Developer Emeritus
> >
> >
> >  Every word of what you said is painfully true. The only way to
> >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
> >  who do nothing but patch and push new kernels and the PR that goes along
> >  with them every few days.
> >  --
> >  Ned Ludd <solar@gentoo.org>
> >
> >
> >
> >  --
> >  gentoo-security@lists.gentoo.org mailing list
> >
> >

[-- Attachment #2: Detta är en digitalt signerad meddelandedel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Kernel Security + KISS

[Eduardo Tongson]

If no Gentoo developer comes forward, I volunteer myself. Seems
everybody is busy and overworked to even authorize an official team.
Any Gentoo developer who can share their 'a day in the life of the
Gentoo Kernel Security team' experience?

  --  ed*eonsec

On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@rymdraket.net> wrote:
> AFAICS the thing missing is a leader. Someone to make a starting point
>  for the followers to make use of (not necessary inside of gentoo, I
>  believe it can always be integrated later if there are devs enough to
>  pick things up and integrate), a place for him to collect and keep list
>  and contact with interested people (also to keep "me too"-noise from
>  this list).
>
>  This does not even have to be a integrated gentoo solution, am I right?
>  Anybody having a hosting space could host a db with the
>  information/advisories.
>  And the hosting one could let anyone he/she trusts write info to that
>  db.
>  That db could be like "This vournable exists, these are the problems,
>  these are the workarounds/patches and there are no fixed kernel
>  versions/these kernel versions are fixed" where info could be updated as
>  they get along.
>  And anybody that has the time and skill could write a applications that
>  fetch info from this db about the currently running kernel and presents
>  the user with the text "No known vournables" or "These vournables
>  exists" with links to the information in the db about that advisory.
>  This way a user can run the application, get a message, read the
>  advisories and decide "I need to update to at least this version" or "I
>  do not need to update".
>
>  The thing needed after that is persons to keep this db up to date and
>  maybe bug devs to get fixed versions into portage.
>  But these people needs a central collection point where they could
>  "meet" and start moving things.
>
>  And anybody can bug any dev in bugzilla if a kernel is not fixed, but
>  the chances over-worked devs will notice and be more helpful if you are
>  more helpful with what, when and why this kernel thing should be fixed
>  (i.e. come well prepared).
>
>
>  tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:
>
>
> > Alright how do we proceed to get this team started.
>  >
>  >   ed*eonsec
>  >
>  > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
>  > >
>  > >
>  > >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
>  > >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
>  > >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
>  > >  > > > What specific kernel knowledge is needed to get a Kernel advisory up
>  > >  > > > and running ?
>  > >  > >
>  > >  > > Between becoming aware of a vulnerability in Linux and drafting an advisory
>  > >  > > for one or all kernel sources comes the part where you review which
>  > >  > > versions of which kernel sources are affected and unaffected. You also
>  > >  > > need to pay attention to specifics of the added patchsets, which might
>  > >  > > duplicate vulnerabilities.
>  > >  > >
>  > >  > > Parts of the job can indeed be done without Kernel and C knowledge, but
>  > >  > > some cannot. So if we draft a new kernel security *team*, people without C
>  > >  > > and kernel knowledge are helpful -- some others need to have it, though.
>  > >  > >
>  > >  > > Robert
>  > >  >
>  > >  > To be honest, 99% of what is done in the kernel security team can be done with
>  > >  > no C knowledge at all.
>  > >  >
>  > >  > I'm not an expert C person - far from it - but I eventually became the head of
>  > >  > Kernel Security until I retired a few months ago.
>  > >  >
>  > >  > Most of it is bug handling.  The major problem is a social, not a technical
>  > >  > one.  Because of the manner in which our kernels are organized, a single
>  > >  > vulnerability involves checking upstream version numbers, coordinating them
>  > >  > into our downstream version numbers for all sources, checking to see if the
>  > >  > sources are effected, figuring out who to CC for the bugs, then harassing
>  > >  > them until they do it.
>  > >  >
>  > >  > Unlike other security sources, any attempt to hardmask the package is shutdown
>  > >  > instantly.  The chaos that would result from a kernel hardmask, even one of
>  > >  > the lesser used ones, caused me to only successfully order one over my entire
>  > >  > career in Gentoo Kernsec... even though more around 30 would have been
>  > >  > needed.  It is not infrequently that bugs will last six months without any
>  > >  > action coming about them, and users are blissfully unaware.
>  > >  >
>  > >  > I am happy to give my input as the former head of Kernel Security, but it is
>  > >  > my personal opinion that any advances in kernel security will require the
>  > >  > full cooperation of security, and letting the head of kernel security be able
>  > >  > to actually enforce threats, as that seems to be the only way bugs ever get
>  > >  > resolved.  Pleading didn't work - I tried.
>  > >  >
>  > >  > -Harlan Lieberman-Berg
>  > >  > Gentoo Developer Emeritus
>  > >
>  > >
>  > >  Every word of what you said is painfully true. The only way to
>  > >  accomplish this would be with an Iron Fist(fail) or a team of ~15 guys
>  > >  who do nothing but patch and push new kernels and the PR that goes along
>  > >  with them every few days.
>  > >  --
>  > >  Ned Ludd <solar@gentoo.org>
>  > >
>  > >
>  > >
>  > >  --
>  > >  gentoo-security@lists.gentoo.org mailing list
>  > >
>  > >
>

Re: [gentoo-security] Kernel Security + KISS

[Sune Kloppenborg Jeppesen]

On Thursday 21 February 2008 13:35:52 Eduardo Tongson wrote:
> If no Gentoo developer comes forward, I volunteer myself. Seems
> everybody is busy and overworked to even authorize an official team.
> Any Gentoo developer who can share their 'a day in the life of the
> Gentoo Kernel Security team' experience?

For those interested try dropping by #gentoo-security on Freenode and talk to 
rbu, I think he's spoken with a few interested already.

After Fosdem this weekend I hope to catch up a bit on the kernel situation.

-- 
Sune Kloppenborg Jeppesen (Jaervosz)
Gentoo Linux Security Team
http://security.gentoo.org

>
>   --  ed*eonsec
>
> On Thu, Feb 21, 2008 at 5:54 PM, Peter Hjalmarsson <xake@rymdraket.net> 
wrote:
> > AFAICS the thing missing is a leader. Someone to make a starting point
> >  for the followers to make use of (not necessary inside of gentoo, I
> >  believe it can always be integrated later if there are devs enough to
> >  pick things up and integrate), a place for him to collect and keep list
> >  and contact with interested people (also to keep "me too"-noise from
> >  this list).
> >
> >  This does not even have to be a integrated gentoo solution, am I right?
> >  Anybody having a hosting space could host a db with the
> >  information/advisories.
> >  And the hosting one could let anyone he/she trusts write info to that
> >  db.
> >  That db could be like "This vournable exists, these are the problems,
> >  these are the workarounds/patches and there are no fixed kernel
> >  versions/these kernel versions are fixed" where info could be updated as
> >  they get along.
> >  And anybody that has the time and skill could write a applications that
> >  fetch info from this db about the currently running kernel and presents
> >  the user with the text "No known vournables" or "These vournables
> >  exists" with links to the information in the db about that advisory.
> >  This way a user can run the application, get a message, read the
> >  advisories and decide "I need to update to at least this version" or "I
> >  do not need to update".
> >
> >  The thing needed after that is persons to keep this db up to date and
> >  maybe bug devs to get fixed versions into portage.
> >  But these people needs a central collection point where they could
> >  "meet" and start moving things.
> >
> >  And anybody can bug any dev in bugzilla if a kernel is not fixed, but
> >  the chances over-worked devs will notice and be more helpful if you are
> >  more helpful with what, when and why this kernel thing should be fixed
> >  (i.e. come well prepared).
> >
> >  tor 2008-02-21 klockan 11:16 +0800 skrev Eduardo Tongson:
> > > Alright how do we proceed to get this team started.
> > >
> >  >   ed*eonsec
> >  >
> >  > On Thu, Feb 21, 2008 at 6:55 AM, Ned Ludd <solar@gentoo.org> wrote:
> >  > >  On Wed, 2008-02-20 at 13:59 -0500, Harlan Lieberman-Berg wrote:
> >  > >  > On Sunday 17 February 2008 23:12:35 Robert Buchholz wrote:
> >  > >  > > On Sunday, 17. February 2008, Eduardo Tongson wrote:
> >  > >  > > > What specific kernel knowledge is needed to get a Kernel
> >  > >  > > > advisory up and running ?
> >  > >  > >
> >  > >  > > Between becoming aware of a vulnerability in Linux and drafting
> >  > >  > > an advisory for one or all kernel sources comes the part where
> >  > >  > > you review which versions of which kernel sources are affected
> >  > >  > > and unaffected. You also need to pay attention to specifics of
> >  > >  > > the added patchsets, which might duplicate vulnerabilities.
> >  > >  > >
> >  > >  > > Parts of the job can indeed be done without Kernel and C
> >  > >  > > knowledge, but some cannot. So if we draft a new kernel
> >  > >  > > security *team*, people without C and kernel knowledge are
> >  > >  > > helpful -- some others need to have it, though.
> >  > >  > >
> >  > >  > > Robert
> >  > >  >
> >  > >  > To be honest, 99% of what is done in the kernel security team can
> >  > >  > be done with no C knowledge at all.
> >  > >  >
> >  > >  > I'm not an expert C person - far from it - but I eventually
> >  > >  > became the head of Kernel Security until I retired a few months
> >  > >  > ago.
> >  > >  >
> >  > >  > Most of it is bug handling.  The major problem is a social, not a
> >  > >  > technical one.  Because of the manner in which our kernels are
> >  > >  > organized, a single vulnerability involves checking upstream
> >  > >  > version numbers, coordinating them into our downstream version
> >  > >  > numbers for all sources, checking to see if the sources are
> >  > >  > effected, figuring out who to CC for the bugs, then harassing
> >  > >  > them until they do it.
> >  > >  >
> >  > >  > Unlike other security sources, any attempt to hardmask the
> >  > >  > package is shutdown instantly.  The chaos that would result from
> >  > >  > a kernel hardmask, even one of the lesser used ones, caused me to
> >  > >  > only successfully order one over my entire career in Gentoo
> >  > >  > Kernsec... even though more around 30 would have been needed.  It
> >  > >  > is not infrequently that bugs will last six months without any
> >  > >  > action coming about them, and users are blissfully unaware.
> >  > >  >
> >  > >  > I am happy to give my input as the former head of Kernel
> >  > >  > Security, but it is my personal opinion that any advances in
> >  > >  > kernel security will require the full cooperation of security,
> >  > >  > and letting the head of kernel security be able to actually
> >  > >  > enforce threats, as that seems to be the only way bugs ever get
> >  > >  > resolved.  Pleading didn't work - I tried.
> >  > >  >
> >  > >  > -Harlan Lieberman-Berg
> >  > >  > Gentoo Developer Emeritus
> >  > >
> >  > >  Every word of what you said is painfully true. The only way to
> >  > >  accomplish this would be with an Iron Fist(fail) or a team of ~15
> >  > > guys who do nothing but patch and push new kernels and the PR that
> >  > > goes along with them every few days.
> >  > >  --
> >  > >  Ned Ludd <solar@gentoo.org>
> >  > >
> >  > >
> >  > >
> >  > >  --
> >  > >  gentoo-security@lists.gentoo.org mailing list
--
gentoo-security@lists.gentoo.org mailing list

Re: [gentoo-security] Kernel Security + KISS

[Simon Zehntner]

security+unsubscribe@gentoo.org
-- 
gentoo-security@lists.gentoo.org mailing list