Re: Design
This is Linus displaying exactly the attitude that many people (me included) have been complaining about for well over a decade.
He is stuck in a 90's mindset when it comes to security.
Back then it was a common delusion that we could somehow just fix/avoid all memory corruption bugs and introducing mitigations (even from the start with the very first implementations of noexec stack, what later expanded to DEP) was seen as somehow being "impure". Most people have advanced since then, but apparently not Linus.
He has grudgingly accepted SOME mitigations due to outside pressure, but clearly he hasn't understood why they are actually needed or why lots of work remains to be done.
What others have realized is that there are always going to be bugs in this kind of software. Some of them will turn out to be exploitable security issues. Even if you somehow magically fix all of them at
some point in time, new ones are going to be introduced.
And the proper mitigations can be very, very effective at preventing exploitation. Sometimes you can kill entire bug classes. Other times it makes exploitation less reliable ( == more likely to draw attention due to stuff crashing), more complex ( == raising market prices for exploits thus reducing the amount of attackers having access to them, and making the rest less likely to risk them against all potential targets) and/or require chaining bugs and thus requiring new exploits as soon as one of them is killed.
There aren't less security issues in the Linux kernel now than say 10 years ago. This in itself should be all the evidence needed to conclude that exploit mitigations are needed.
And yes, security issues are fundamentally different than other bugs. Not only because of their potentially severe (unlimited) damage, but also because how they should be dealt with. You shouldn't just fix them and move on. You need to actually learn from the past bugs to prevent introducing similar ones in the future and find those that slip by earlier.
Now that we are living in a world where your adversary might very well be an intelligence agency with unlimited funding, and not just some random kid or criminal gang, proper software security - where exploit mitigations have an important role to play - is more important than ever.
Though, Kees Cook doesn't exactly have a stellar record when it comes to kernel security work, so I'm sure this patch is crap for other reasons...
Biting the hand that feeds IT
