Google’s open security team claimed that the Linux kernel code was not good enough, with almost 100 new fixes every week, and that at least 100 more engineers were needed to work on it.
Kees Cook, a Google software engineer who has devoted much of his time to Linux kernel security features, posted an article on persistent issues in the kernel that he says are not being sufficiently targeted.
“The stable kernel versions (‘bug fixes only’) each contain almost 100 new fixes per week,” he said. This puts pressure on Linux vendors – including those who support the myriad products that run Linux – to “ignore all patches, select only” important “patches, or face the daunting task of taking it all.” , did he declare.
Cook blames part of the C programming language. “With Linux written in C, it will continue to have a long tail of associated problems,” he said. He added that the Miter Common Vulnerabilities and Exposures (CVE) list, used by professionals to assess the importance of bugs, is not up to par because “not all security vulnerabilities have CVEs assigned, and neither are they timely ”.
The only solution is to constantly update to the latest version of the stable version in use, but Cook said that “performing continuous kernel updates … is meeting enormous resistance within an organization due to fear of regressions – will the update break the product? Another problem is that many vendors are using old kernels and backporting the patches, which means redundant work because multiple engineers from different companies solve the same problem.
Cook refers to Google’s fuzzing tool, Syzkaller, which currently reports nearly 1,000 possible issues in the Linux kernel: around 400 per year are fixed, he said, but the number is increasing by 100 per year. as new ones are found.
Google’s fuzzing tool finds growing number of potential bugs in Linux kernel
What is the solution? Cook has a number of proposals, including moving away from the email-only workflow used for Linux development, introducing more automated testing and fuzziness, continuous integration, and other steps to make the process of “more efficient” development. Currently, too many kernel testing occurs after a release is released, he said.
Cook also offered to improve the Linux toolchain, including making sure that “Linux can be written in memory safe languages like Rust”.
According to Cook, “based on our most conservative estimates, the Linux kernel and its toolchains are currently under-invested by at least 100 engineers.” He suggested that companies move in-house engineers working on kernel code and security to work on the upstream kernel instead. “It is the only solution that will ensure a safety balance at a reasonable cost in the long run.”
Reasonable cost in the long run? Linux, which is a free operating system, largely powers many of the world’s most profitable companies, including Google, whose parent company Alphabet reported operating profit of $ 19.36 billion in its lifetime. quarter ending June 30. The company could employ an additional 100 Linux security engineers without batting an eyelid, as does Amazon, which also runs primarily on Linux and reported revenue for its last quarter of $ 113.1 billion.
In February this year, Google announced that it was sponsoring two full-time developers to work on upstream kernel security. ®