In his keynote talk at LinuxConf Australia this week, Linux kernel developer Matthew Garrett argues that the software industry can help improve security at every level of the stack – and that it's possible to do so without sacrificing user freedom.
“Do not allow conversations to be about reducing user freedom in order to improve security,” he said in his concluding statements. “Challenge anyone who says this. Ensure they know it's unacceptable.”
2013 was a big year for security in the PC industry, characterized by the mass implementation of UEFI Secure Boot, the Snowden revelations, and the openSSL website security breach, said Garrett, who works for cloud computing company Nebula and implemented UEFI Secure Boot for Fedora. Each event has changed the way the software industry views security and each provides its own lessons for Linux developers and sysadmins.
The openSSL site breach was originally thought to be the first example of a hypervisor breach, Garrett said, but it turned out the website credentials were easily guessable. However, the site breach calls attention to the larger issue: the hypervisor is still a vulnerability. It's critical that cloud providers can ensure guests running on the same hardware remain fully separate and can't break through the hypervisor, he said. He called on providers to be transparent about their security implementations and for customers to demand that information from their cloud providers.
“There are some difficult questions we should be asking cloud providers and so far mostly haven't,” Garrett said.
The NSA revelations also dramatically affected how the industry views security, though perhaps not in the most productive way. Garrett implied that the magnitude and scale of the technical attacks have somewhat overwhelmed developers who don't even know where to begin improving security for their users.
The Snowden leaks led developers to realize that technical attacks that were before only theoretically possible, were already actually happening. Yet despite the mass of information leaked, we still “don't know what our attackers are capable of,” Garrett said.
He encouraged developers not to fixate on what intelligence agencies are capable of and to instead focus on smaller-scale vulnerabilities and what they can control. Script kiddies and organized criminal hackers looking for credit card numbers are still a far more common security threat, he reasoned.
“What can we do to protect users and protect the state of the art and make sure computer security is as good as it can be?” he asked.
He defended verified boot schemes as one method for protecting the software stack at its root. Vendors must also allow users to install their own OS, however. The industry, especially in the mobile segment, still has a ways to go in allowing users to replace the cryptographic key and/or the firmware, he said. Such freedom is critical to allowing experimentation and innovation in the tech industry.
UEFI Secure Boot “is one of the rare cases where I'm going to say Microsoft did the right thing for user freedom,” he said.