Self-protection is key to Linux kernel security

Finding and fixing Linux security vulnerabilities amounts to the usual whack-a-mole. The real solution is to harden the Linux kernel and let it protect itself

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Linux has quietly taken over the world. The operating system now powers the large datacenters that make all our cloud applications and services possible, along with billions of Android devices and internet-connected gadgets that comprise the internet of things (IoT). Even the systems that handle the day-to-day operations on the International Space Station run Linux.

The fact that Linux is everywhere makes kernel security the highest priority. An issue in the kernel can easily create ripples that are felt by practically everyone. Finding and fixing vulnerabilities in the kernel is only one aspect of Linux security; enabling the kernel to withstand attacks is even more vital.

"Honestly, updating is always going to lag behind," says Linux creator and pioneer Linus Torvalds. "But one of the reasons for a lot of the hardening work is to hopefully make updating less critical, in that even if there is a bug that would be a security hole, hardening efforts mitigate it to the point where it's not an acute security issue."

Beyond bug fixes

Plenty of people scrutinize Linux kernel code for security vulnerabilities and fix them. More than 200 security vulnerabilities were found in the Linux kernel in 2016, including the critical use-after-free vulnerability affecting Linux kernel versions older than 4.5.2 (CVE-2016-7117) that allowed remote attackers to execute arbitrary code without requiring authentication or any specialized tools. The January Android Security Bulletin fixed a critical buffer overflow vulnerability affecting the storage subsystem (CVE-2016-8459) in Linux Kernel 3.18 and Android, and the upcoming Linux Kernel 4.10 is expected to include more security fixes.

But squashing bugs is a losing strategy since the reality is that many of the systems running Linux may never be updated to the new kernel. Vulnerabilities fixed in the upstream kernel eventually make their way to servers and PCs because IT administrators receive the updates from distribution vendors. That still leaves out Android and IoT devices, many of which will be around for years and do not (or cannot) receive any software updates.  

To continue reading this article register now