Linus Torvalds: 'I don't trust security people to do sane things'

The prominent Linux engineer has suggested models used to approach kernel security are entirely wrong.

Linus Torvalds has offered his thoughts on Linux security approaches, branding some security professionals as "f*cking morons" for focusing on process-killing rather than debugging.

Torvalds, the creator and principal developer of the Linux kernel, does not often pull his punches when it comes to the kernel's behaviors and security.

The engineer carried on the tradition over the weekend, as Google Pixel developer Kees Cook submitted a pull request for hardened usercopy changes for v4.15-rc1, which according to Cook, narrows areas of memory "that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions."

"This has lived in -next for quite some time without major problems, but there were some late-discovered missing whitelists, so a fallback mode was added just to make sure we don't break anything," Cook said. "I expect to remove the fallback mode in a release or two."

In response, Torvalds said these kinds of pull requests "can be very painful" as time must be spent examining them as they touch core elements.

"When I pull 20+ other pull requests a day, I don't have _time_ to spend time on them," the engineer added. "They are scary because: they touch core stuff, [and] I don't trust security people to do sane things."

While Torvalds also cast doubt on the validity of the request, others urged for the suggestion to be considered.

This, in turn, prompted Cook to offer more information on the request, saying:

"This is why I introduced the fallback mode: with both kvm and sctp (ipv6) not noticed until late in the development cycle, I became much less satisfied it had gotten sufficient testing.

With the fallback mode, missed whitelists generate a WARN and are allowed, so this series effectively only introduces tight controls on the places where a whitelist is specifically introduced. And I went to great lengths to document each whitelist usage in the commit logs.

I would agree it would be nice to get at least a subset of this in, though. Linus, what would make you most comfortable?"

The question was not met lightly. Torvalds then made his position clear with some rather colorful language.

"So honestly, this is the kind of completely unacceptable "security person" behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been," Torvalds said. "IT IS NOT ACCEPTABLE when security people set magical new rules, and then make the kernel panic when those new rules are violated."

"That is pure and utter bullsh*t," the engineer added. "We've had more than a quarter century _without_ those rules, you don't then suddenly waltz in and say "oh, everybody must do this, and if you haven't, we will kill the kernel."

The engineer continued, saying that the series was "incredibly broken" at the start, and security professionals need to realize that patches introduced for things such as hardening primarily serve as a debugging tool rather than anything else.

Should this be ignored and security developers see their hardening efforts primarily as a "let me kill the machine/process on bad behavior," Torvalds said he will "stop taking those sh*t patches" altogether.

"Some security people have scoffed at me when I say that security problems are primarily "just bugs," Torvalds added. "Those security people are f*cking morons."

The Linux kernel creator continued, suggesting that the primary focus should be on debugging and making sure that the version of the kernel released in the future is better than the one in use today.

However, in the engineer's view, the focus today is actually "let's kill things for bugs."

Torvalds said:

"The hardening efforts should instead _start_ from the standpoint of "let's warn about what looks dangerous, and maybe in a _year_ when we've warned for a long time, and we are confident that we've actually caught all the normal cases, _then_ we can start taking more drastic measures".

Stop this idiotic "kill on sight, ask questions later." Because it's wrong.

Right now, the biggest problem for me is that the whole thing makes me uncomfortable, because I think the people involved are coming from a completely unacceptable model to begin with."

Rather than retaliate in the same frustrated language, Cook acknowledged the commentary, saying that his "main flaw" was thinking that patches and changes could be fully tested during a single development series.

However, the developer said over the course of the latest cycle he realized this was a challenge, and made adjustments as a result.

"Well, I'd like to think I did learn something since I fixed up this series _before_ you yelled at me. :)," Cook concluded. "I'll make further adjustments and try again for v4.16."

No matter the language, however, it is good to see passionate people in both the Linux and security domains as a whole -- especially in a world where so many businesses consider security and user protection as an afterthought.

Previous and related coverage

    Bug bounty hunter reveals DJI SSL, firmware keys have been public for years

    Opinion: The researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker's poor security and revealing how not every bug bounty hunt ends well.

    Oracle pushes emergency patch for critical Tuxedo server vulnerabilities

    Two of the vulnerabilities have achieved a rating of 10 and 9.9 in severity.

    Parity shakes up wallet audits, but funds remain frozen

    After a user accidentally stole and froze funds in over 500 wallets, a solution is yet to be found.

      Newsletters

      You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
      See All
      See All