8 Linux Security Improvements In 8 Years - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
5/6/2015
06:06 AM
Charles Babcock
Charles Babcock
Slideshows
Connect Directly
Twitter
RSS
E-Mail

8 Linux Security Improvements In 8 Years

Linux started getting really serious about security in 2007, and it has made big strides in the past three years. As open source code faces more threats, Linux can't rest on its laurels.
2 of 10

Coverity Code Scan
Andrew Morton wasn't the only one concerned about defects creeping into open source code widely used on the Internet. The Department of Homeland Security, smelling trouble in the loosely supervised spread of open source code, issued a large contract in 2006 to a group in the Computer Science Laboratory at Stanford University. It was their job to produce an automated code-checking system that could scan the C, C++, C#, and Java code in many open source code projects. A firm called Coverity was formed to capitalize on the code analysis service that resulted, looking to make a business out of scanning commercial and open source code after the DHS contract ran out. 

The project produced the Coverity Static Analysis Verification Engine (SAVE). The online service could be loaded with a project's latest build in order to perform a static analysis, meaning the code is not running. Its lines would be examined one by one, and code paths analyzed with the target system at rest. By running many tests of different variables passing through the system, the engine could spot buffer overflows, broken authentication, cross-site scripting, code injection opportunities, and other vulnerabilities that a malicious hacker might take advantage of. 

The scanning system was slow to build credibility and catch on with independent-minded open source code projects. It would be several years before the Linux project embraced Coverity scans, but once it did, the payoff proved dramatic. 
Pictured above is an example of what developer Steve French sees when he logs into his account at Coverity and inspects the Linux scan report.
(Image: Steve French)

Coverity Code Scan

Andrew Morton wasn't the only one concerned about defects creeping into open source code widely used on the Internet. The Department of Homeland Security, smelling trouble in the loosely supervised spread of open source code, issued a large contract in 2006 to a group in the Computer Science Laboratory at Stanford University. It was their job to produce an automated code-checking system that could scan the C, C++, C#, and Java code in many open source code projects. A firm called Coverity was formed to capitalize on the code analysis service that resulted, looking to make a business out of scanning commercial and open source code after the DHS contract ran out.

The project produced the Coverity Static Analysis Verification Engine (SAVE). The online service could be loaded with a project's latest build in order to perform a static analysis, meaning the code is not running. Its lines would be examined one by one, and code paths analyzed with the target system at rest. By running many tests of different variables passing through the system, the engine could spot buffer overflows, broken authentication, cross-site scripting, code injection opportunities, and other vulnerabilities that a malicious hacker might take advantage of.

The scanning system was slow to build credibility and catch on with independent-minded open source code projects. It would be several years before the Linux project embraced Coverity scans, but once it did, the payoff proved dramatic.

Pictured above is an example of what developer Steve French sees when he logs into his account at Coverity and inspects the Linux scan report.

(Image: Steve French)

2 of 10
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 11:16:06 AM
Re: Open Source is Superior
Asksqn,

This is not meant to be a defense for Propreitary code but don't you feel we have had more than our fair-share of Vulnerabilities in Open Source environments in last year or so[Shellshock,Bash vulnerabilities,etc].

The Big problem that Open Source has is lack of enthusiasts with Financial Staying power.

Even great programs like TOR & Veracrypt have seen cutbacks(or abandonment of Support).

Why is that the case?

Not really surprising.

Everyone wants to use Open Source (and rave about it) but not many folks want to contribute(financially) to it.

I am reminded of the case of that German Developer who was so close to quiting entire Development of something as important as Encryption for Email because he had no Funds to spare(Werner Koch behind GNU Privacy Guard)-www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

How does one deal with that situation?

This Gentlemen got lucky thanks to that propublica article and he managed to raise the funds he needs to keep the Project going atleast for next 5 years.

What about many other projects which are again manned by just one or two folks?

No easy answers unfortunately.

Atleast the cash-rich companies have funds to throw developers and other resources at their Security Bugs.


Regards

Ashish.

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/8/2015 | 10:54:50 AM
Re: Path to security starts in development
Charlie,

I am not surprised a bit that these are the primary issues discovered in Linux Security Audits.

Why is that?

If one looks at basic software in General and especially Coding Best Practices Lists(from OWASP,SANS,etc) these are all among the Top 10 Vulnerabilities discovered every year.

Guessing that more and more automation in Coding Best Practices will reduce these errors?

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/6/2015 | 11:48:08 AM
Re: More Simple, More Secure
Christian,

Great-Great point!

Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That is as good a statement as I could have said (and is as simple a fashion as one could put it).


The more complex code becomes the more chances of error creeping in.

This is also why Apple is moving away from Objective C and towards Swift today.

Open source has enormous fans and traction ,just need to keep supporting it going ahead.

Regards

Ashish.

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
5/8/2015 | 8:41:53 PM
Julia Lawall and other names you don't hear everyday
The Coccinelle scanning tool "is currently maintained mostly by myself and Sebastien Hinderer," writes Julia Lawall, its principal author, "with some contributions from Nicolas Palix, Iago Abal, Chi Pham. Several other people have worked on it at various times over the years."
RetiredUser
100%
0%
RetiredUser,
User Rank: Strategist
5/7/2015 | 4:24:57 AM
More Simple, More Secure
This is a great reminder of not only the importance of integrating solid development practices no matter how mature your project is, but also that open source code (or "free" as in freedom) has benefits far beyond simply being free.  With deep insight into kernel internals, for instance, the entire kernel hacking community have access to code, scanning results, and developer knowledge lending to important security and functional bug fixes.

However, it is also a lesson in bloat.  More and more I'm building my kernel with a stripped down footprint, not only choosing Linux-libre over the mainline code that contains non-free "blobs" which could contain security issues that can't easily be fixed because they are closed source objects, but also longing for a more micro-kernel-like build.  Kernel bloat has been the topic of many a paper and article and the simple truth is that simplicity lends to security in terms of manageable code.

That said, I have watched the development of Linux since the early days (I'm practically a gray-beard) and it is one of the most impressive projects out there, with lots of strong personalities but with a drive to make sure users continue to have a free kernel that give people what they need.

Great article for reminding everyone why we love Linux.

 
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
5/6/2015 | 5:24:51 PM
Path to security starts in development
Buffer overflows, integer overflows and format string errors are among the top problems buried in Linux code. "The road to application quality and security starts in development," wrote Zack Samocha, sr. drector of products at Coverity in the  Coverity Security Spotlight Report on Open Source in 2013.
asksqn
100%
0%
asksqn,
User Rank: Ninja
5/6/2015 | 1:27:14 PM
Open Source is Superior
>>Coverity isn't allowed to release the results of its tests of commercial code[...] <<

 

Thereby demonstrating why Open Source will always be superior.  Meanwhile, Oracle/SAP et al. would rather keep its flaws a big "trade" secret rather than fix security bugs.  It's standard operating procedure for commercial vendors to shoot the messenger rather than deal with bugs.  And the consumer gets charged for this "service."  Open Source clearly provides more bang for the buck, and, you can't get any better than FREE.
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Commentary
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll