Linus Torvalds, creator and principal developer of the Linux kernel, confessed that he doesn’t “trust security people to do sane things”, saying some security professionals are just “fcking morons.” Torvalds ranted on the Linux developers forum that security professionals concentrated on process-killing rather than debugging. This reaction came from Torvalds when Google Pixel security team developer, Kees Cook submitted a pull request for version 4.15 of the Linux Kernel. Cook said, “Please pull these hardened usercopy changes for v4.15-rc1.” “This significantly narrows the areas of memory that can be copied to/from userspace in the face of usercopy bugs by adding explicit whitelisting for slab cache regions,” he explained. “This has lived in -next for quite some time without major problems, but there were some late-discovered missing whitelists, so a fallback mode was added just to make sure we don’t break anything. I expect to remove the fallback mode in a release or two.” Torvalds reacted to this saying that these kinds of pull requests “can be very painful” as they touch core elements and time must be spent investigating them. “When I pull 20+ other pull requests a day, I don’t have time to spend time on them,” Torvalds added. “They are scary because: they touch core stuff, [and] I don’t trust security people to do sane things.” When Torvalds raised doubts over the validity of the request, others supporting Cook urged him to “please do pull a subset, even after -rc1”. This, in turn, prompted Cook to offer more information on the request, saying: “This is why I introduced the fallback mode: with both kvm and sctp (ipv6) not noticed until late in the development cycle, I became much less satisfied it had gotten sufficient testing. “With the fallback mode, missed whitelists generate a WARN and are allowed, so this series effectively only introduces tight controls on the places where a whitelist is specifically introduced. And I went to great lengths to document each whitelist usage in the commit logs. “I would agree it would be nice to get at least a subset of this in, though. Linus, what would make you most comfortable?” Torvalds then blasted on this by saying, “So honestly, this is the kind of completely unacceptable “security person” behavior that we had with the original user access hardening too, and made that much more painful than it ever should have been. IT IS NOT ACCEPTABLE when security people set magical new rules, and then make the kernel panic when those new rules are violated.” “That is pure and utter bullsht,” he added. “We’ve had more than a quarter century without those rules, you don’t then suddenly waltz in and say “oh, everybody must do this, and if you haven’t, we will kill the kernel.” “The fact that you ‘introduced the fallback mode’ late in that series just shows HOW INCREDIBLY BROKEN the series started out.” Security people need to repeat a mantra namely that “security problems are just bugs” instead of changing the way kernel behaves. “The important part about ‘just bugs’ is that you need to understand that the patches you then introduce for things like hardening are primarly [sic] for DEBUGGING,” Torvalds said. “I’m not at all interested in killing processes. The only process I’m interested in is the development process, where we find bugs and fix them. “As long as you see your hardening efforts primarily as a ‘let me kill the machine/process on bad behavior’, I will stop taking those shit patches. “Some security people have scoffed at me when I say that security problems are primarily ‘just bugs’. “Those security people are f*cking morons….If you don’t see your job as “debugging first”, I’m simply not interested.” He added that “I think the hardening project needs to really take a good look at itself in the mirror” and stop this “kill on sight, ask questions later” mentality in favor of the following approach: Let’s warn about what looks dangerous, and maybe in a year when we’ve warned for a long time, and we are confident that we’ve actually caught all the normal cases, then we can start taking more drastic measures Instead of responding in the same angry language, Cook said that “I think my main flaw in helping bring these defenses to the kernel has been thinking they can be fully tested during a single development cycle, and this mistake was made quite clear this cycle, which is why I adjusted the series like I did.” He concluded by saying “I’d like to think I did learn something, since I fixed up this series before you yelled at me. :)” “I’ll make further adjustments and try again for v4.16.” Source: The Register, ZDNet
