back to article Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel

Boffins affiliated with BMW, Siemens, and two German universities say they can pinpoint obfuscated Linux kernel security fixes, developed in secret, before they are officially released. This is insight miscreants could use to develop and deploy exploit code before patches are widely available. What's more, the team found that …

Page:

  1. arctic_haze

    Not a new thing

    I noticed the same thing on the original Bugzilla of Firefox when they started to hide security bugs. The bugs were secret but the resultant patches could be tied to the bug numbers so it was not difficult to see what actually has been changed. This is why I actually never thought the secret bugs were a good idea.

  2. Anonymous Coward
    Paris Hilton

    I've finally worked it all out!

    This is why Microsoft constantly evolves the insanely gargantuan set of bugs found in Windows 10.

    It's a brilliant way of confusing enemies of the free world, the sort of 'bad actors' who don't want to make America Great Again©®; Windows is now so flakey and breaks in so many new, baffling and downright perverse ways, all the time, that it must be very hard for virus writers to know whether their efforts have been successful or not. Every virus introduced into a running copy of Windows actually improves the general code quality by a small, but measurable, amount.

    There's no longer any point in a Russian 16 year old genius threatening to encrypt someone's HDD unless bitcoins are forthcoming as:

    (1) The entire contents will have been already uploaded to Microsoft as 'telemetry to help us an our trusted partners make your life experience better'.

    (2) A random update of Windows 10 will probably one-way 'encrypt' the filesystem anyway. Clicking that Save icon now is the IT equivalent of sacrificing a chicken to the elder gods to make the sun rise again.

    Sources close to Microsoft have revealed to me that Microsoft's ongoing thrust to make Windows inhospitable to all forms of software life has become so advanced and optimised, that a top secret team of crack 1,500 developers have actually managed to make the Novell Netware drivers (still of course shipped with Windows 10) simultaneously self-modifying, evil and more toxic than a six week stay in Chernobyl.

    Paris, because, 'bad actor'.

  3. John Smith 19 Gold badge
    Coat

    "more toxic than a six week stay in Chernobyl."

    Actually quite pleasant at this time of year.

    And with a background radiation level below some coastal Iranian holiday resorts*

    *Yes, really.

  4. Charlie Clark Silver badge

    Is trust a problem?

    "The existence of such commits contradicts one of the key promises of an open development model."

    Not really, it just highlights a potential exploit vector. But, really, depending on inferring attack vectors from silent patches means you're behind the curve, because this is a known issue. The usual suspects – the various government agencies around the world – have far greater resources for code analysis and penetration testing for detecting (and then exploiting) unknown issues.

    My understanding is that, in general, a security relevant issue is handled by a dedicated team, which then coordinates with the main team on when and how fixes can be committed. I think silent commits stem from this approach and are there largely to avoid spreading unnecessary alarm, prior to a coordinated security release. There are good arguments for keeping everything completely open but there are also potential aspects of liability for disclosing an issue without being able to provide a solution.

    When it comes to secure development you really need a separate team that does nothing else than try and find exploits. This is the best way to deal with the risk that trusting your developers brings with it: you have to continually try to break and exploit their code.

  5. trevorde Silver badge

    Given enough eyeballs, all exploits are shallow

    1. Charlie Clark Silver badge

      I'm afraid that's wishful thinking as things like SSL have shown. Unless you're actually looking for bugs you're unlikely to find any. And, many exploits are not necessarily bugs. Or they would previously never have been considered bugs before someone worked out how to exploit the code.

      This is why security testing should be done by a separate team.

      1. Anonymous Coward
        Anonymous Coward

        Kinda hard when you're strapped for budget or able hands (think a team of ONE).

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021