Google to Underwrite Contributors to Linux Security
Google and the Linux Foundation announced this week they will underwrite two full-time maintainers for Linux kernel security development.
Gustavo Silva is currently working full time on eliminating several classes of buffer overflows by transforming all instances of zero-length and one-element arrays into flexible-array members, which is the preferred and least error-prone mechanism to declare such variable-length types. He is also actively focusing on fixing bugs before they hit the mainline, while also proactively developing defense mechanisms that cut off whole classes of vulnerabilities. Silva sent his first kernel patch in 2010 and is an active member of the Kernel Self Protection Project (KSPP).
Nathan Chancellor will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing continuous integration (CI) systems to support this work. He has been working on the Linux kernel for four and a half years.
Dan Lorenc, staff software engineer for Google, said Google is hopeful this effort will encourage other companies that are dependent on open source software to underwrite security researchers. The challenge, however, goes beyond simply finding individuals with Linux security expertise. Individuals have to be willing to adapt to the collaborative nature of Linux development over a period of multiple years.
Of course, demand for individuals with enough security expertise to work on the Linux kernel are in high demand. In an ideal world, organizations would fund initiatives to groom the next generation of open source security experts early in their careers. That level of investment would also attract more security contributors looking to advance their careers.
The Open Source Security Foundation (OpenSSF) arm of the Linux Foundation and the Laboratory for Innovation Science at Harvard (LISH) recently published an open source contributor survey that, among other issues, identified a need for additional work on security in open source software. There are more than 20,000 contributors to Linux, the largest open source project there is, but few of them are 100% focused on security issues.
Of course, there’s a lot prestige associated with becoming a contributor to an open source project. Individuals that make security contributions may not have always received their fair share of acclaim. However, as security issues become a bigger concern, Lorenc said there is the potential for individuals that focus on security to become true open source heroes.
In addition, vendors such as Sysdig this week made available an open source module via the Cloud Native Computing Foundation (CNCF), another arm of the Linux Foundation, that makes it easier for security vendors to process security functions at the microkernel level within Linux.
Regardless of how security is improved, one thing is certain – no one is paying more attention to open source security issues than cybercriminals. The biggest security challenge the open source community faces is that their work is readily available for anyone to scrutinize. Unfortunately, not everyone reviewing that code has the most honorable intentions.
