Self-protection is key to Linux kernel security

Finding and fixing Linux security vulnerabilities amounts to the usual whack-a-mole. The real solution is to harden the Linux kernel and let it protect itself

Self-protection is key to Linux kernel security
MasterTux (CC0)

Linux has quietly taken over the world. The operating system now powers the large datacenters that make all our cloud applications and services possible, along with billions of Android devices and internet-connected gadgets that comprise the internet of things (IoT). Even the systems that handle the day-to-day operations on the International Space Station run Linux.

The fact that Linux is everywhere makes kernel security the highest priority. An issue in the kernel can easily create ripples that are felt by practically everyone. Finding and fixing vulnerabilities in the kernel is only one aspect of Linux security; enabling the kernel to withstand attacks is even more vital.

"Honestly, updating is always going to lag behind," says Linux creator and pioneer Linus Torvalds. "But one of the reasons for a lot of the hardening work is to hopefully make updating less critical, in that even if there is a bug that would be a security hole, hardening efforts mitigate it to the point where it's not an acute security issue."

Beyond bug fixes

Plenty of people scrutinize Linux kernel code for security vulnerabilities and fix them. More than 200 security vulnerabilities were found in the Linux kernel in 2016, including the critical use-after-free vulnerability affecting Linux kernel versions older than 4.5.2 (CVE-2016-7117) that allowed remote attackers to execute arbitrary code without requiring authentication or any specialized tools. The January Android Security Bulletin fixed a critical buffer overflow vulnerability affecting the storage subsystem (CVE-2016-8459) in Linux Kernel 3.18 and Android, and the upcoming Linux Kernel 4.10 is expected to include more security fixes.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022