This document discusses managing kernel vulnerabilities in the software development lifecycle. It covers choosing proper Linux kernel versions from trusted sources, maintaining kernels through upstream first methodology, hardening configurations, automated testing, vulnerability scanning, and community collaboration on security issues. The goal is to minimize risks and costs by addressing vulnerabilities early through a defined process.
Manage kernel vulnerabilities in the software development lifecycle
1. Manage Kernel Vulnerabilities in
the Software Development Lifecycle
林上智 (SZ LIN)
szlin@debian.org
Date: 12th August, 2020
2. > 80 %
> 75 % 100 %
> 95 %
img src: https://kernel.org
src: https://www.linuxfoundation.org/about/
of the top one
million domains run
with Linux
of cloud-enabled
enterprises report
using Linux as their
primary cloud
platform
of new smartphones
sold run Android,
which is based on
the Linux kernel
of the top 500
supercomputers in
the world run on
Linux
4. 4
Copyright Patent
A patent gives its owner the right to
exclude others from making, using,
selling, and importing an invention
for a limited period of time, usually
twenty years.
src: https://en.wikipedia.org/wiki/Patent
Copyright is a legal right, that grants
the creator of an original work
exclusive rights to determine whether,
and under what conditions, this
original work may be used by others
src: https://en.wikipedia.org/wiki/Copyright
5. 5
Copyright Patent
A patent gives its owner the right to
exclude others from making, using,
selling, and importing an invention
for a limited period of time, usually
twenty years.
src: https://en.wikipedia.org/wiki/Patent
Copyright is a legal right, that grants
the creator of an original work
exclusive rights to determine whether,
and under what conditions, this
original work may be used by others
src: https://en.wikipedia.org/wiki/Copyright
10. 10
User Applications
GNU/ Linux
GNU C library
Init system
User
Space
Kernel
Space
Hardware and peripheral devices
Architecture-dependent firmware
Bootloader
Kernel
System call interface
Toolchain
Root filesystem
More info: Using open source software to
build an industrial-grade embedded Linux
platform from scratch
Open Source Summit Japan, 2019 [57]
11. End of LTS
11
Linux Kernel Releases
Mainline
Stable
(linux-stable-4.4)
v4.4
Stable
(linux-stable-4.19)
6+? years
v4.5 v4.19 v5.x
EOL
v4.4.x v4.4.y v4.4.z
v4.19.a v4.19.b
img src: https://en.wikipedia.org/wiki/Linux_kernel_version_history
End of LTS
6+? years
12. 27.8
60-90 Day 66,492 3,386,347
21,074
Mainline Kernel
Release Cycle
Million Lines Files Lines of New Codes
in 2019
Different Authors
12
src: https://www.phoronix.com/scan.php?page=news_item&px=Linux-Git-Stats-EOY2019
img src: https://kernel.org
13. Supply Chain Risk Management Practices
for Federal Information Systems and
Organizations
Special Publication 800-161 [4]
SM-9: Security requirements for
externally provided components
ISA/ IEC 62443-4-1 [5] NERCCIP-010-2 [6]
Configuration Change Management and
Vulnerability Assessments
img src: https://pixabay.com/illustrations/policies-standards-compliance-4720824/
13
16. Costs to Fix Software Defects at Different Stages of SDLC [7]
1x
5x
10x
15x
30x
0
5
10
15
20
25
30
35
Requirements Gathering
and Analysis/
Architectural Design
Coding/Unit Test Integration and
Component/RAISE
System Test
Early Customer
Feedback/Beta Test
Programs
Post-product
Release
16
X is a normalized unit of cost and can be expressed terms of person-hours, dollars, etc.
19. Scope
Schedule
Resources
Good enough
principle
KISS principle
Core technology
identification
Requirements Analysis
It’s imperative to collect, analyze, identify requirements for Linux
kernel and its configuration, it also reduces the unnecessary
maintenance effort related to security. Moreover, it provides
information for us to choose proper kernel source to fulfill our
requirements.
19
20. Requirements for the Civil Infrastructure Systems [8]
Industrial
Grade
• Reliability
• Functional Safety
• Security
• Real-time capabilities
Sustainability
Security
• Security &
vunerability
managment
• Firmware updates
• Minimize risk of
regressions
This has to be achieve with …
Development time
Shorter development times for more complex system
Maintenance costs
Low maintenance costs for commonly uses software
components
Low commissioning and update costs
Development costs
Don‘t re-invent the wheel
• Product life-cycles
of 10 – 60 years
20
23. Category
Latest
version
Target Application Maintainer
Linux kernel 5.8
• Performance
• Resource Limited [9] [10]
Kernel.org
Preempt RT kernel 5.6
• Real-time
• Functional safety
• Resource Limited
Real Time Linux
collaborative project
*Real-time application [11][12]
23
*Grsecurity [13]
24. SoC Board Support Package Kernel
• Kernel version depends on SoC vendors
– Well made but not well maintained
• Contain lots of in-house patches
– Errata patches
– Specific feature patches
– …
• Different SoC might use different versions of kernel
• The lifetime is unsure
24
25. LTS: Long Term Stable Kernel [3]
Extend software uptime for stable kernel
• Only accept bug fixes and security fixes
img: https://www.kernel.org/category/releases.html
Retrieved 7th August
25
26. LTSI: Long Term Support Initiative [14]
• Linux Foundation collaborative project
– Based on LTS
– Add another chance to include further patches on top of LTS
– Auto Test framework
– Same lifetime with LTS (yearly release and 2 years life time)
26
27. CIP (Civil Infrastructure Platform) [16]
• Linux Foundation collaborative project
– Support kernel and core package
– Auto Test framework
– Maintenance period
• 10 years and more (10-20 years)
27
More info: CIP Kernel Team Activities to Accomplish Super Long Term Support
Embedded Linux Conference, 2020 [17]
28. CIP SLTS Kernel Releases
Mainline
Stable (linux-stable-4.4)
4.4
CIP SLTS 4.4 (linux-4.4.y-cip)
CIP SLTS 4.19 (linux-4.19.y-cip)
End of LTS
Stable (linux-stable-4.19)
Maintained by CIP
Maintained by
CIP Kernel
Maintainers
4.19
10 years
6 years
4 years
End of CIP SLTS
5.x
10 years
6 years
4 years
28
30. Linux Kernel Source Comparison Table
Version
Maintenance
Period
(years)
Features
Latest
Version
Supported Real-
time kernel
Maintainer
SoC
BSP kernel
? Bug fixes ? N SoC vendor kernel team
LTS
kernel
2 ~ ?
• Bug fixes
• Security fixes
5.4 N Kernel.org
LTSI kernel 2 ~ ?
• Bug fixes
• Security fixes
• Specific features
• New features
4.14 N
LTSI
(Linux Foundation Projects)
CIP
kernel
10 +
• Bug fixes
• Security fixes
• Specific features
• New features
4.19 Y
CIP
(Linux Foundation Projects)
30
31. ELISA: Safety-Critical Systems [17]
• Linux Foundation collaborative project
– Build and certify Linux-based safety-critical applications
– Define and maintain a common set of tools and processes
• SIL2LinuxMP [18] project and the Linux Foundation’s Real-Time Linux project
– IEC 61508
31
32. Year 2038 Problem [19][20]
• The time_t datatype is a data type in the ISO C library and
kernel structure defined for storing system time values.
• 32-bit system can represent dates from
Dec 13 1901
Jan 19th 2038
• It causes integer overflowing on
– 03:14:08 UTC 19 January 2038
32
33. Don’t choose rolling version
unless necessary
v4.4.1
Security fixes
Bug fixes
Upstream
rolling version
33
v4.4.2 v4.4.3
43. • The project shares its results with the upstream
• The project fulfills longer time maintenance and
security fixes
• The project develops their code very quickly
• The project faces difficulties to backport upstream
patches due to conflicts as time goes by
43
51. For Stable Kernel Maintenance
• Automated Linux Kernel Testing [22][23]
– Detect, bisect, report and fix regressions on
upstream Kernel trees before release
– Short tests on many configurations
51
img src: https://kernelci.org/
54. Reproducible Builds [25]
• Create an independently-verifiable path from source to
binary
– Ensure builds have identical results
– Act as part of a chain of trust
– Prove the source code has not been tampered/modified
54
55. Continuous Integration • Jenkins [26]
• Jenkins X [27]
Continuous Delivery/ Deployment • LAVA 2 [28]
Distributed compiler service • icecc [29]
• GOMA [30][31]
• distcc [32]
Test Case Management • Jenkins
• LAVA 2
Version Control • Git with gitlab [33]
Static Program Analysis • checkpatch.pl [34]
• sparse [35][36]
• smatch [37]
Dynamic Program Analysis • Profiling tools [38]
Vulnerability Scanning • OpenVAS [39]
• Vuls [40]
Fuzzing Testing • Syzkaller [41]
• Trinity [42]
• perf_fuzzer [43]
More info:
Building, Deploying and Testing an
Industrial Linux Platform
Open Source Summit Japan 2017 [44]
55
63. • This project tracks the status of security issues, identified by CVE ID, in
mainline, stable, and other configured branches.
Introduction to "cip-kernel-sec”
63