LINUX FOUNDER Linus Torvalds has slammed a Google security expert’s “bullshit” approach
current approaches to cyber security during a recent discussion.
The Finnish-American software developer, who took part in a talk about new whitelisting features destined for Linux, disapproved of the approaches of many security bods.
In particular, he criticized the work of Kees Cook, who’s a member of Google Pixel’s security team. Torvalds has previously branded him as idiotic.
As The Register reports, Cook recently wrote a request to pull hardened user copy changes for v4.15-rc1, saying: “Please pull these hardened usercopy changes for v4.15-rc1.
“This significantly narrows the areas of memory that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions,” he said in the posting.
“This has lived in -next for quite some time without major problems, but there were some late-discovered missing whitelists.
“So a fallback mode was added just to make sure we don’t break anything. I expect to remove the fallback mode in a release or two.”
Torvalds, naturally, wasn’t too happy about Kees’ post. In fact, he doubts that the points he raised are actually useful. He responded by saying: “This merge window is not going to be one where I can take a leisurely look at something like this.”
With the support of the likes of Paolo Bonzini, Cook attempted to explain his stance on the code and counter Torvald’s concerns.
He continued: “This is why I introduced the fallback mode: with both kvm and sctp (ipv6) not noticed until late in the development cycle, I became much less satisfied it had gotten sufficient testing.”
Torvalds was far from satisfied with what Cook had to say, saying: “So honestly, this is the kind of completely unacceptable ‘security person’ behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been.
“It is not acceptable when security people set magical new rules, and then make the kernel panic when those new rules are violated.”
His approach to security is completely different to Cook. Instead, he believes that security problems are just bugs, and he doesn’t believe in changing the kernel completely.
He said: “That is pure and utter bullshit. We’ve had more than a quarter century _without_ those rules, you don’t then suddenly walz [sic] in and say ‘oh, everbody [sic] must do this, and if you haven’t, we will kill the kernel’.”
“The fact that you ‘introduced the fallback mode’ late in that series just shows how incredibly broken the series started out.”
He added: “The important part about ‘just bugs’ is that you need to understand that the patches you then introduce for things like hardening are primarly for debugging .”
“I’m not at all interested in killing processes. The only process I’m interested in is the _development_ process, where we find bugs and fix them.”
“As long as you see your hardening efforts primarily as a ‘let me kill the machine/process on bad behaviour’, I will stop taking those shit patches.”
“Some security people have scoffed at me when I say that security problems are primarily ‘just bugs’. Those security people are f*cking morons.”
Torvalds has become synonymous with his expletive-filled rants. Last year, he launched a foul-mouthed rant at a contributor over a piece of code with which he fundamentally disagrees. µ
Source : Inquirer