Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 518
Alerts This Week
Warning Icon 1 518

Stay Ahead With Linux Security News

Filter%20icon Refine news
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security news

We found 78 articles for you...
79

Linux Kernel Embraces Rust: Modern Security Solutions for Legacy Code

Integration of Rust into the Linux kernel marks an enormous advancement for those committed to its security and stability. Rust's inherent memory safety features offer powerful advantages that help combat common bugs like buffer overflows and use-after-free errors. These features provide greater protection from potential exploits while streamlining development efforts, helping admins more efficiently maintain secure systems. . Linux kernel maintainers and developers Greg Kroah-Hartman and Kees Cook have expressed strong backing for Rust integration, not as an attempt at revamping existing C code but instead using Rust to develop new components, increasing overall security while decreasing critical vulnerabilities. With this hybrid approach, your existing infrastructure remains strong while subsystems constructed using Rust provide superior reliability and security from day one. Let's examine how this approach will offer admins like yourself with more stable, secure, and manageable Linux environments in the future. Understanding The Security Challenges of C The Linux kernel, the cornerstone of millions of systems worldwide, has traditionally been written using the C programming language. Although C is powerful and flexible, its usage often leads to memory management errors that compromise security. Buffer overflows, use-after-free errors, and double free errors are surprisingly frequent due to manual memory management techniques employed by C programs. These vulnerabilities have serious real-world repercussions that attackers can exploit to gain unauthorized system access or for code execution. As more interconnected systems become vulnerable due to security flaws, security administrators must patch and monitor them regularly to detect exploits and prevent future ones. Rust: A Practical Solution for Memory Safety Rust was designed with safety as the primary objective and memory security at its heart. Its stringent compiler rules prohibit null pointer dereferences and doublefree while providing proper synchronization mechanisms, significantly reducing risk and helping mitigate common bugs at compile time. Greg Kroah-Hartman, one of the longstanding Linux kernel maintainers, has long championed Rust's integration. He observes that many kernel bugs result from complex quirks or edge cases in C that require tedious manual management. "Rust removes these ambiguities," says Kroah-Hartman. "It allows us to write new components without the legacy issues that have historically plagued kernel development." This means fewer vulnerabilities to worry about from the outset. Code written in Rust is inherently safer, which translates to fewer patches and less time spent on incident responses related to memory safety issues. Enhancing Development Efficiency Integration of Rust into the Linux kernel brings many benefits beyond security. Rust's stringent compile-time checks help identify errors early, improving software quality while speeding development time and simplifying maintenance costs - ultimately leading to faster production timelines and easier maintenance needs over time. This leads to more secure code and shorter production time. Kees Cook, an active participant in Linux kernel security development, elaborates further, stating, "The goal isn't to rewrite all existing C code in Rust, but to provide an option for new drivers and subsystems. We can improve security and efficiency by introducing Rust where it makes the most sense." By catching bugs early, Rust allows developers to focus on optimizing and refining their code rather than constantly fixing avoidable errors. This means more reliable updates and reduced downtime due to bugs in newly introduced code. Balancing Legacy with Innovation One of the key challenges developers face today is balancing maintaining existing C code and adopting Rust. The Linux kernel contains an immense codebase built over decades, and completely rewriting everything with Rust would be impossible and defeat its purpose altogether. Cook emphasizes the importance of developing new components using Rust while maintaining existing C code - this hybrid approach capitalizes on both languages' strengths. "We’re not throwing away what we have," Cook says. "The existing C code has been scrutinized and hardened over the years. Rust enhances our ability to tackle new challenges without introducing the old bugs." This approach offers confidence that existing systems will remain stable while benefiting from the advantages of Rust in new developments. The goal is to create a more secure and efficient kernel without disrupting the current infrastructure. Forward-Thinking Security The integration of Rust into the Linux kernel is a forward-thinking approach to security. It prepares the kernel for future challenges and complexities, ensuring new vulnerabilities don’t enter the system. This proactive stance is critical as the threat landscape continues to evolve. Kroah-Hartman captures this sentiment well: "Security is an ongoing battle. By incorporating Rust, we’re not just addressing today's issues but positioning ourselves to handle tomorrow's threats. It’s about building a resilient foundation to adapt and withstand emerging challenges." As a security admin, I find this future proofing invaluable. It means fewer reactive measures and more strategic, proactive security management. These Rust enhancements will result in a more robust kernel you can trust to handle your security requirements. Our Final Thoughts on Embracing Rust in the Linux Kernel Rust's inclusion in the Linux kernel marks an exciting turning point in its history. Memory management vulnerabilities have long plagued kernel development efforts. With built-in memory safety features and reduced likelihood of bugs introduced during development, Rust provides an effective solution that enhances its security posture from within. Greg Kroah-Hartman and Kees Cook's backing exemplifies the advantages of integration. By emphasizing new components over rewritingexisting code, the community can strike an optimal balance between innovation and legacy maintenance, keeping systems secure against future threats. As a Linux security admin, I believe that adopting Rust's integration can mean more reliable and secure systems with reduced time spent patching or responding to incidents. Rust provides the Linux kernel with an adaptive foundation capable of facing advanced and emerging threats. What is your opinion on Rust integration in the kernel? Reach out to us @lnxsec and let's have a discussion about it! . Linux kernel maintains stability and security through Rust integration, promising a more robust coding future.. integration, linux, kernel, marks, enormous, advancement, those, committed. . Brittany Day

Calendar%202 Mar 03, 2025 User Avatar Brittany Day Security Projects
209

Linus Torvalds' Critique: CPU Attacks and Hardware Design Challenges

Linus Torvalds, the creator of Linux, recently expressed his frustration about using barrier_nospec() within the copy_from_user() functionality. His main concern is the slowness of the copy_from_user() function and the overkill these barriers are perceived as being. His remarks also highlight an increasing impatience towards buggy hardware and theoretical CPU attacks, which impact the security and efficiency of the Linux operating system. . To help you understand Torvalds' recent commentary and its significance for admins like you and me, I'll explain Torvalds' criticisms in more depth, examine the relevance of these issues for admins and Linux users, and offer practical solutions for overcoming these challenges. Understanding Linus' Criticisms of barrier_nospec() Linus Torvalds described the use of barrier_nospec() as "overkill" in a recent mailing list response . He also called it "painfully slow." Performance can be affected by the introduction of Speculative Execution Barriers to mitigate Spectre-style vulnerabilities . These barriers were designed to stop speculative attacks, but they can cause latency and reduce the efficiency of kernel operations. This can result in slower system response times and lower performance for end users, especially when using high-compute environments. Torvalds appears to be particularly upset by applying mitigations without understanding their need in specific cases. Security is essential, but solutions must be proportionate to risk. This may not always apply to speculative-execution barriers. Barrier_nospec() could be applied universally to protect against some attacks, but it would come at a performance cost. Broader Frustration with Buggy Hardware & Theoretical CPU Attacks Torvalds recent outburst is not an isolated incident but rather part of a longstanding criticism of the security community and hardware manufacturers' approach to CPU vulnerabilities. Linux kernel developers often have to clean up after hardware designers. This is acritical issue. Software-layer mitigations are usually cumbersome and inefficient for silicon-level bugs. Torvalds believes this is a fundamental issue, and hardware manufacturers must take greater responsibility to ensure robust security built into their designs. Concerns include theoretical attacks, which may not always translate to real-world threats in practice but still require mitigations because of their potential impact. The Linux kernel must maintain a delicate balance between robust security and performance. Inefficient measures can cause systems to be vulnerable, and overly conservative approaches can result in significant inefficiencies. Examining the Significance of These Issues for Linux Admins These discussions are essential for Linux administrators for several reasons. The introduction of performance-degrading security measures directly impacts the end-user experience and the feasibility of running resource-intensive applications. Understanding the tradeoffs within the kernel allows admins to make informed decisions about kernel configurations and versions appropriate for specific use cases. To maintain a high level of security, admins should also be aware of the most recent kernel security discussions. Understanding the reasoning behind particular mitigations allows for a better risk assessment. This helps prioritize updates and configurations by an organization's tolerance of risk. Instability can also be caused by frequent kernel changes required to fix hardware vulnerabilities. Admins must be alert to updates and thoroughly test them in staging environments before deploying them to production systems. Practical Solutions for Overcoming These Challenges Security and performance are constantly at odds within the Linux kernel. This tension requires immediate and long-term fixes. The first approach is to apply speculative barriers selectively rather than universally. This would only be for processes handling sensitive data or systems with a higher attackrisk. Administrators can adjust kernel parameters to balance performance and security based on operational requirements. A better collaboration between the kernel development community and hardware manufacturers can result in more efficient silicon, reducing the need for mitigation software. Open-source projects that are more transparent and cooperative with manufacturers can result in more tailored and efficient mitigations. Developers can also optimize the performance impact of patches and refine speculative execution barriers to minimize overhead while maintaining their protective benefits. In this process, benchmarking and performance tests are essential. Using more sophisticated threat modeling that evaluates both theoretical attacks' feasibility and exploitability can help inform a more balanced mitigation strategy. Developers can better weigh the risks in the real world and prioritize the efforts that will provide the most significant security benefit with the most negligible performance impact. By implementing more dynamic kernel configurations, systems can adjust their security posture in real time depending on the current threat environment. This allows for stronger protections when the threat landscape is high and a relaxation of those protections when the threat level drops. Various perspectives can be gained by encouraging a more significant level of participation in kernel development discussions. This community-driven method can create effective and efficient mitigations by drawing on various areas of expertise. Our Final Thoughts on Hardware Bugs & CPU Attack Mitigations Linus Torvalds' frustrations reveal deeper systemic problems within hardware design and mitigation strategies for security. These discussions highlight the balance that must be struck between performance and security, requiring a deeper understanding of kernel configurations and updates. The Linux community can overcome these challenges by fostering better hardware and software collaboration andadopting more refined mitigation techniques. This will ensure robust security without sacrificing performance. . Linus Torvalds, creator of Linux, expresses concern over CPU vulnerabilities that threaten system integrity, forcing complex changes impacting performance and security.. Hardware Bugs, CPU Attacks, Linux Kernel, Security Measures, Performance Tuning. . Anthony Pell

Calendar%202 Oct 21, 2024 User Avatar Anthony Pell Security Trends
79

Linux Kernel 6.9: Upgrades In Security And Performance For Linux Systems

The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux ecosystem. Linus Torvalds, the creator of Linux, underscores this by stating, "a more powerful arm64 machine (thanks to Ampere)," signaling promising optimizations for ARM64 architecture in this new release. . Let's delve deeper into the key highlights that make this update noteworthy for Linux admins and security practitioners. What's New in the Linux Kernel 6.9 Release? The release packs various features that add significant value to the Linux community. One striking addition is the support for AMD Preferred Core, prioritizing high-performance cores for demanding tasks. This shift aims to enhance overall system efficiency by leveraging the full potential of AMD processors. On the Intel front, notable refinements include support for the Fastboot feature on old platforms and the introduction of Intel's FRED architecture, promising improved performance for Meteor Lake chips. Furthermore, the enhancements in ARM support stand out, including Rust support for ARM64 architecture, which opens the door for Rust-based kernel codes in the future. Alongside this, the extended hardware support for various devices like MediaTek MT7981B and NXP i.MX8DXP showcases the kernel's adaptability to newer technologies. Long-Term Consequences & Considerations As we look toward the future, the broader implications of these updates on Linux security and system management are worth considering. The introduction of Rust support for ARM64 architecture might pave the way for a more secure and robust kernel structure. However, will introducing Rust-based code potentially introduce new vulnerabilities or complexities in the long run? The extended hardware support raises questions about how these diverse devices will interact with the unified kernel framework and the security implications that come with it. Linux Kernel 6.9: Our Final Thoughts The Linux Kernel 6.9release is a significant milestone that brings about essential upgrades and hints at the future direction of Linux development. With a strong focus on performance optimization, security enhancements , and extended hardware support, this release promises to catapult Linux systems to new heights. As security practitioners and sysadmins, we must stay informed , delve deeper into these changes, anticipate their impact on system security, and adapt our strategies to ensure a seamless and secure user experience. You can download Linux Kernel 6.9 here. . This release highlights essential tools for network administrators and cybersecurity professionals, enhancing efficiency and compatibility among various systems.. Linux Kernel Updates, ARM64 Improvements, Security Features, Software Enhancements. . Brittany Day

Calendar%202 Jun 03, 2024 User Avatar Brittany Day Security Projects
210

Linux Kernel Netfilter Vulnerability: CVE-2024-26925 Critical DoS Threat

A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential risks to systems worldwide. The vulnerability, CVE-2024-26925 , arises from improperly releasing a mutex within the garbage collection (GC) sequence of nf_tables. It could potentially lead to race conditions and compromise the stability and security of the Linux kernel. . What Is the Impact of This Vulnerability on Linux Security? The technical details of the vulnerability and its impact on the Linux kernel's security should be highlighted. During the critical section, the commit mutex must not be released between nft_gc_seq_begin() and nft_gc_seq_end. The async GC worker could collect expired objects and get the released commit lock within the same GC sequence if this occurs. The implications of this kernel flaw are severe for systems utilizing the nf_tables for network packet filtering. Thus, admins and users should apply the latest updates to safeguard their systems. This proactive patching underscores the Linux community's commitment to security and stability and the importance of staying updated and informed on Linux security patches and best practices. For Linux admins, infosec professionals, internet security enthusiasts, and sysadmins, this vulnerability could have substantial long-term consequences for their systems and networks. It raises questions about the overall security of the Linux kernel and prompts critical analysis of the patching process and its effectiveness. However, the implications of this vulnerability extend beyond the immediate need for patching, elevating the importance of understanding and addressing potential weaknesses in open source and Linux security . This article aims to ensure that users are aware of their risks and equipped to take necessary actions to mitigate potential threats. Our Final Thoughts on This Critical Kernel Bug The critical vulnerability identified in the Linux kernel's netfiltersubsystem underscores the ongoing challenges in maintaining robust security measures for open-source software. The implications of this vulnerability on systems worldwide necessitate a heightened focus on proactive security measures, patching, and ongoing monitoring to ensure the resilience of Linux environments. This article aims to provide valuable insights and takeaways for the global community of Linux admins, infosec professionals, internet security enthusiasts, and sysadmins by emphasizing the impact of this flaw on security practitioners and offering actionable mitigation recommendations. . This critical weakness in the Linux kernel presents considerable dangers, requiring immediate response from system administrators and cybersecurity personnel.. Linux Kernel, Netfilter, Critical Risk, DoS, Security Update. . Brittany Day

Calendar%202 Apr 30, 2024 User Avatar Brittany Day Security Vulnerabilities
212

Seccomp Profiles: Improving Kubernetes Security and Protection Techniques

Seccomp , which comes from "secure computing mode," is a built-in security feature in the Linux kernel that limits the system calls a process can make. Seccomp profiles in Kubernetes help minimize attack surfaces and prevent malicious code execution. . Let's explore how Seccomp profiles can enhance Kubernetes security and how you can enable them in your Kubernetes environment. What Is Seccomp & How Does It Improve Kubernetes Security? Advancing security needs have fueled the evolution of Seccomp, a feature that has become increasingly relevant since its introduction in the Linux kernel version 2.6.12 in 2005. Today, it is used beyond just Linux and Kubernetes, including in web browsers like Chrome and Firefox. Seccomp modes include block or allow and the newer filter mode, which offers filtering and fine-tuning security policies. Seccomp profiles offer protection in two key ways: exploiting vulnerabilities or compromising the supply chain . Attackers who gain code execution within a Kubernetes workload can potentially compromise the host (or node), exposing secrets and elevating privileges. If malicious code attempts to use a system call not part of its allowed set, Seccomp profiles can effectively block it, denying attackers the ability to access the host filesystem. How Can I Enable Seccomp in Kubernetes? There are two ways to enable Seccomp profiles in Kubernetes: pre-made and custom profiles. The former is convenient but less tailored to specific needs, whereas the latter offers fine-grained security measures with more complexity to create and maintain. Linux admins, infosec professionals, internet security enthusiasts, and sysadmins looking to implement Seccomp profiles in Kubernetes need a profound understanding of the application's system call needs. Our Final Thoughts on the Security Benefits of Seccomp Using Seccomp profiles in Kubernetes environments is essential for enhancing overall security posture. For Linux admins, infosec professionals, internet securityenthusiasts, and sysadmins seeking to improve the security for Kubernetes environments, Seccomp profiles are a critical feature to consider. As the adoption of Kubernetes continues to increase, so does the need to secure Kubernetes environments and prevent malicious actors from compromising them. . Investigate the role of Seccomp profiles in bolstering Kubernetes security and discover best practices for their effective implementation in your setup.. Kubernetes Security, Seccomp Profiles, Container Security, System Call Management, Linux Security. . Brittany Day

Calendar%202 Feb 22, 2024 User Avatar Brittany Day Cloud Security
76

Linux Kernel Long-Term Support Cut to Two Years at Open Source Summit

The Open Source Summit provides an update on what's new in the Linux kernel​ and where it's going from here. . At the Open Source Summit Europe , Jonathan Corbet, Linux kernel developer and executive editor of Linux Weekly News, caught everyone up with what's new in the Linux kernel and where it's going from here. Here's one major change coming down the road: Long-term support (LTS) for Linux kernels is being reduced from six to two years. Currently, there are six LTS Linux kernels -- 6.1, 5.15, 5.10, 5.4, 4.19, and 4.14. Under the process to date, 4.14 would roll off in January 2024, and another kernel would be added. Going forward, though, when the 4.14 kernel and the next two drop off, they won't be replaced. . During the Software Freedom Conference in Berlin, Linus Torvalds highlights significant advancements in the Python programming language and its growth trajectories.. Linux Kernel Support, Long Term Support, Open Source Development. . Brittany Day

Calendar%202 Sep 21, 2023 User Avatar Brittany Day Organizations/Events
74

TCP-AO Support Nears Completion in Linux Kernel for Improved Security

One of the new Linux networking features we've been looking forward to seeing in the kernel is TCP Authentication Option (TCP-AO / RFC5925) as a means of improving TCP security and authenticity. The eleventh iteration of the TCP-AO patches were posted today for the Linux kernel with it looking like work on this network addition potentially wrapping up soon. . TCP-AO is an upgrade over the existing TCP-MD5 spec for allowing stronger authentication algorithms, improved key management, design considerations for long-lived TCP connections, and related enhancements. There's been a number of Linux networking subsystem developers working on the TCP-AO support, which is some five thousand lines of new core networking code in the kernel. The v11 patches posted overnight address the last three items brought up during the prior round of code review from mid-August. The link for this article located at Phoronix is no longer available. . TCP-AO boosts security for TCP by implementing advanced authentication methods and refining key management processes within the Linux kernel.. TCP Authentication Option, TCP Security, Linux Networking, Authentication Algorithm, Key Management. . Brittany Day

Calendar%202 Sep 12, 2023 User Avatar Brittany Day Network Security
79

Linux 6.5-rc2: Assembly Rewrite Tackles Control Flow Integrity Flaws

Ahead of the Linux 6.5-rc2 release tomorrow there was a set of x86/x86_64 kernel changes merged overnight to deal with some weaknesses in the kernel's Control Flow Integrity (kCFI) / FineIBT (Indirect Branch Tracking) code. . Going back to the Linux 6.1 days there has been the kernel Control Flow Integrity code in good shape as a replacement to prior CFI code. Since Linux 6.2 has also been FineIBT as an alternative CFI scheme that uses the compiler-provided kCFI paired with hardware Control-Flow Integrity provided by Intel's Indirect Branch Tracking. These efforts are to thwart control-flow hijacking attacks on the kernel but recently some weaknesses were discovered in the kernel's code. Merged overnight is new code to deal with those weaknesses and part of resolving the weaknesses are rewriting some of the Assembly code into C. The link for this article located at Phoronix is no longer available. . Recent updates to the kernel target vulnerabilities in Control Flow Integrity, enhancing protection against potential threats.. Control Flow Integrity, Linux Kernel Security, Assembly Code Rewrite, Cyber Defense Strategies. . LinuxSecurity.com Team

Calendar%202 Jul 17, 2023 User Avatar LinuxSecurity.com Team Security Projects
News Add Esm H340

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200