Twitter
Home Blog Page 960

Open Source Security Process Part 4: Xen Project’s Policy for Responsible Disclosure with Maximum Fairness and Transparency

By
Lars Kurth
-

Xen Project secure pandaIn part four of this four-part series, Xen Project Advisory Board Chairman Lars Kurth takes a closer look at the Xen Project’s Security Policy and its evolution from its inception in 2011 to today and what it means for IT teams. Read Part 3: Are Today’s Open Source Security Practices Robust Enough in the Cloud Era?

Before we dive into Xen Project’s security practices, it is worth noting that no users of large or small cloud providers have been put at risk from security issues related to the Xen Project since it established a security process in 2011.

A Brief History of the Xen Project’s Security Policy

The Xen Project’s policy looked pretty much like the standard open source security policy a few years ago and followed the Distro Model of Responsible Disclosure, which was introduced in part three of this series. However, the Xen Project user community forced the project to change in 2012 and into 2013. Guided by community input, the Xen Project established one of the most codified, fair, transparent and battle-hardened security processes in the industry.

Before 2011, Xen Project didn’t have an established security process, but began to adapt Debian’s approach to security issues with the exception that the Xen Project included “large service providers” on the pre-disclosure list. These were added, so service providers could plan and prepare to deploy security fixes once issues were published.

In June 2012, FreeBSD, NetBSD, Solaris, Microsoft Windows and Xen were exposed to the Intel SYSRET privilege escalation (or CVE-2012-0217). This vulnerability was discovered in the context of Xen and FreeBSD on April 9, 2012. The fix was originally scheduled to go out on May 1, but in the end was not publicly announced until June 12. The primary reason for the delay was there was severe pressure on the Xen Project to keep the bug and the fix under wraps for months.

The Xen Project resisted this pressure, but eventually had to cave in when the vendors in question successfully convinced the discoverer of CVE-2012-0217 to request a delay of its public release and transfer the handling of CVE to US-CERT. At this point, it is worthwhile reminding ourselves that vulnerability processes rely on trust between vulnerability discoverers and the open source project’s security team. If that trust is broken, fewer vulnerabilities may be reported in future.

This incident highlights one of the biggest fundamental tensions in operating vulnerability processes: balancing the needs of different stakeholders. It is also presumably the primary reason why Linus Torvalds dislikes Responsible Disclosure, which is shared by many others and has been the topic of controversy for many years.

Following CVE-2012-0217, it became clear that the Xen Project needed to adapt a new security process for virtual environments given the diverse nature of the players involved. It established a maximum SLA of 3 weeks from discovery to publication of a security issue to ensure that no undue pressure on the project could be exerted. Xen Project also embarked on a prolonged and difficult community consultation to create a more fair and balanced security process. During the consultation, it became apparent that a large section of Xen users — namely smaller cloud and service providers — felt that “a major security issue could potentially put them out of business, while larger vendors may merely suffer a damaged reputation.”

In the end, the Xen Project departed from the common approach of “minimizing the number of privileged stakeholders” at any cost. Instead, it allowed service providers of any size to join its pre-disclosure list trading off the risk of information leaks in the name of fairness.

The year of 2014 ushered in a number of major security blunders (Edward Snowden, Heartbleed, Shellshock) by big corporations and led to heightened concerns about cloud security. Although no cloud providers were put at risk from security issues related to Xen Project, it made the project aware that it needed a better way to scale the Xen Project’s security process.  

The Xen Project security process was designed before it was clear what operating an efficient security policy under heightened scrutiny would entail. For example, the Project underestimated the number of requests to join the pre-disclosure list and had difficulties verifying whether an application was valid. In addition, different vendors interpreted the text of the policy in different ways leading them to make varying assumptions on what could and could not be done with privileged information. Consequently, the project again consulted with its community, which led to further improvements to the Xen Project’s security processes.

Key Elements of the Xen Project’s Security Policy

In order to address the issues of the cloud computing environment and ensure that the Xen Project security process can scale, there are several ways that Xen Project’s security process differs from the majority of open source projects. These include:

  • For each vulnerability, Xen Project clearly states whether the security fix for the vulnerability can be deployed on public facing services before the security embargo ends.

  • There is a public application process for pre-disclosure membership based on simple criteria that are not biased toward distros or large vendors. In addition, the Xen Project publishes the companies that receive privileged security information.

  • The Xen Project frequently handles security issues for projects that it depends on and that affect its users by working closely with security teams of interfacing open source projects.

  • It pre-discloses information related to a vulnerability in cases where a fix is not available early on. This enables service providers to assess risk and plan changes to their systems.

  • Note that these cases are extremely rare – there has only been one in the history of the project.

  • It allows members of the pre-disclosure list to share issues and experiences on a dedicated secure mailing list.

  • It allows for public post-mortems of security issues on request of members of the pre-disclosure list to improve the process and operations in the future.

  • The Xen Project treats each reported vulnerability equally, regardless of severity, and keeps a central repository of historical information.

What IT Teams Can Learn From the Xen Project Journey

This security process has served the Xen Project well in many ways and core elements of it have been adopted by OpenStack and others (see the “Cloud Model of Responsible Disclosure” in part three of this series). It has led to a deeper understanding of the issues that service providers face, improved trust between Xen Project users and the community at large, and has ultimately led to better security for the Xen Project.

One critical component of building trust is transparency. The Xen Project believes that its approach to publishing vulnerability-related information and its willingness to modify security practices when issues occur, speak for themselves. However, the high level of transparency around this security process has also had costs. Understanding these trade-offs are important for IT teams when assessing a technology for security. The disadvantages of Xen Project’s approach include:

  • CVE Databases: The approach to treat each reported vulnerability equally and to assign CVEs for each vulnerability does have some disadvantages. CVE numbers are stored in searchable databases, such as NIST and CVEDETAILS, and can be a useful resource to assess a technology for security. However, vulnerability databases have to be used with utmost care to avoid drawing wrong conclusions. Primarily, because they do not provide information that makes comparing technologies possible. For example, not all projects and vendors assign CVE numbers to all discovered vulnerabilities. This can lead to the wrong impression that one product is more secure than another. Similarly some projects/products cannot be easily identified. While Xen is easily identifiable, KVM and LXC are not due to tight integration with Linux. Issues affecting them are often classified as general Linux issues.

  • Press Coverage: High levels of transparency make it easier to attack a project’s track record compared to projects that are less transparent. This has become apparent during the last few Xen Project point releases, where recent press coverage has been focused almost exclusively on security issues. In addition, almost every vulnerability we published in 2015 has become a security story, regardless of its severity and impact. Similar stories are simply not published for KVM, LXC and Linux, because it is much harder for journalists to find relevant information. However, lack of press coverage, does not mean that users of KVM, LXC and Linux are safer, it simply means that the Xen Project is more proactive, transparent and swift in resolving security issues.

Conclusion

To make it easier for IT Teams to evaluate the security of open source technologies and vulnerability management processes, the open source industry needs to establish better best practices. What the Xen Project is doing can be a great framework for other projects going forward, especially in the new cloud environment where there are more components and complexities than when we first began with Linux.

References

The following section contains some pointers to articles, which show some of the discussions leading to the latest version of the Xen Security Process in detail and may be of use to some readers.

Discussion leading to v2.0 of the Project Xen Security Process

Discussion leading to v3.0 of the Xen Security Process 

Discussion leading to v3.1 of the Xen Security Process 

Read more:

Part 3: Are Today’s Open Source Security Practices Robust Enough in the Cloud Era?

Part 2: Containers vs. Hypervisors – Protecting Your Attack Surface 

Part 1: A Cloud Security Introduction

 

Hiring Open Source Maintainers is Key to Stable Software Supply Chain

By
Brian Warner
-

This is  the 2nd and final part of a series on measuring the value of open source developers. Part 1 can be found here.

It’s been almost three years since the Open Source Group was established at Samsung. In that time we’ve grown quite a bit. Now that we’ve had some time to get our feet on the ground we’ve decided to take a look back at our impact.

Why do We Need an Open Source Group Anyways?

Samsung is on a multi-year journey to become both a better consumer of open source, and a better contributor and leader in the projects that end up in our products. The reasons for doing so are quite clear to us: While it’s easy to use code that’s made freely available, it’s risky and potentially quite expensive to rely upon it long-term, unless you are proactively working within the community.

The reason it’s potentially risky is actually the flip side of two of the biggest benefits of open source: development moves extremely fast, and a vibrant developer community leads to more diverse contributions. The result of this combination is that the APIs and the features you depend upon today could be entirely different tomorrow, depending upon the will of the contributor community.

On the surface this might sound like a bad thing for developing accurate product roadmaps, but it isn’t; this is a sign that the open source model is working as intended, and that this is probably a pretty healthy and durable community. The companies and individuals who are actively involved and making meaningful contributions to the community get to have a say in the direction of the project, whether this means long-term stable release management or dramatic short-term enhancement.

Mitigating this risk is fairly simple, and it’s the basic premise for the existence of our group. If you want the full economic and technical benefit of consuming open source, you hire people who are already influential in the projects that matter to you. You then ask them to continue doing exactly what they do: write great code, manage great releases, and contribute to the overall stability of the project. This is the single best way to ensure stability and predictability in your software supply chain.

Our Developers Provide Internal and External Open Source Leadership

Our group is largely constructed of maintainers and committers who do just this. They are active in the open source projects that have strategic importance to current or future Samsung products. After three years, we’re finding the benefits to be enormous.

Samsung open source contributions

Our group is highly productive and produces a massive amount of upstream code, given our size. When we look at Samsung’s top 30 strategic upstream open source projects[1], the overall company is responsible for almost 4% of total lines of code committed over the past 3 years, as measured by Jon Corbet and Greg K-H’s gitdm tool. These projects include Blink, BlueZ, Cairo and Cairo/GLES, EFL, Enlightenment, GStreamer, Linux, LLVM, OpenStack, Pixman, Servo, Skia, FFmpeg, U-Boot, Wayland, Weston, Webkit, Xen, and a few other minor projects.Not bad when you consider there are hundreds of other organizations participating in these projects.

Of these contributions, our small group of 18 people has contributed 41% of the lines of upstream code. This is also quite impressive considering we didn’t exist 3 years ago and that we represent less than 4% of the total number of developers from Samsung that contribute to these projects.

Samsung OSG upstream graph

Note: for the purposes of this analysis, we specifically excluded Samsung-initiated projects like Tizen and IoTivity, since we know our contributions to those are very high. That said, each of these (particularly Tizen) makes extensive use of upstream open source.

Each new member of our group brings a great deal of experience on day 1 of employment with the company. We quickly realized there is immense value in sharing this experience internally, as there may be hundreds or thousands of other engineers who rely on the same code. Internally we do a lot of consulting by teaching other Samsung employees to be better at contributing upstream themselves.

Taking this a step further, we also realize that we can never hire all of the maintainers or committers in all of the projects we want to; this is true for any company. However, we can create programs to develop future maintainers from within our own ranks, with the help and guidance of people from our team who have gone through this process.

Open Source Leadership is Immensely Valuable

Pulling it all together, the implications are very clear: If you want to protect your investment in strategic open source, you should have a dedicated team working within those open source communities. Its members need to be competent and respected outside of the company, and need to be given free rein to do their work. At the same time, you should never miss the opportunity to expose others to their talents and experience, because mentorship is how these communities can cultivate  future maintainers. Combined, these things have made a meaningful impact on the way Samsung builds software and how we work with open source.

1: Blink, BlueZ, Cairo and Cairo/GLES, EFL, Enlightenment, GStreamer, Linux, LLVM, OpenStack, Pixman, Servo, Skia, FFmpeg, U-Boot, Wayland, Weston, Webkit, and Xen, plus a few other things like xkbcommon.

This blog is re-published with permission from the Samsung Open Source Group Blog.

Linux-Based Bebop 2 Drone Pushes Safety Agenda

By
Eric Brown
-

Parrot dev kitIn San Francisco, Parrot unveiled a smaller, faster, longer lasting version of its Linux-based Bebop drone, helping to solidify its dominance in the mid-range consumer market. One of the key new features is an emergency cutoff that instantly kills the quadrotor motors when a blade hits an obstacle. The increasing focus on safety was also demonstrated this week when 3DR (Solo) and DJI (Phantom) announced similar new technology to make it easier for their customers to avoid restricted airspace (see farther below).

France-based Parrot was an early leader in consumer unmanned aerial vehicles (UAVs) with its AR.Drone quadrotors, which bridged the gap between the toy and prosumer/commercial markets. Parrot also owns a big chunk of the toy drone and robot market with products like the Rolling Spider and Jumping Sumo, as well as a newer line of Jumping, Airborne, and Hydrofoil mini-drones, selling from $145 to $220.

Like all these devices, as well as the original BeBop, which was launched in 2014, the BeBop 2 runs Parrot’s open source Linux flight stack. The BeBop replaced the AR.Drone line, but with a higher price and more powerful features that overlap slightly with prosumer, $700 to $1,400 drones like DJI’s Phantom, Yuneec’s Typhoon, and 3DR’s Solo.

The $550 Bebop 2, which ships Dec, 14, lacks many of the high-end camera, navigation, and autonomous flight capabilities of the prosumer drones. However, it does address one of the biggest drawbacks of all drones: limited flight time and safety.

The Bebop 2 is now claimed to more than double flight time to 25 minutes, according to several launch reports, including stories from Make and The Verge. The smaller, lighter (500-gram) quadcopter has been completely redesigned with fewer moving parts, greater ruggedization, and more powerful motors and wider blades that let it fly at up to a claimed 37 mph horizontally. According to CNET, Parrot claims the Bebop 2 can launch to a height of 100 meters in 18 seconds.

The new emergency cut-out feature instantly shuts off all four propeller motors if the drone encounters an object. This not only reduces the chance of injury, but also helps protect the Bebop. Other new features include an updated GPS with more precise locational capabilities.

More Bebop Features

One feature that hasn’t changed much is the BeBop’s unique, nose-mounted 14-megapixel fisheye camera. Parrot updated the video stabilization firmware, however, and added a new lens cover.

The fisheye design lets users control the camera from a mobile device, panning around within the 180° image to choose which part to record. Professional videographers will probably prefer the more flexible, hardware-stabilized camera gimbals found on prosumer drones, despite the fact that this adds to the price and weight while also reducing battery life.

For an additional $250, bringing the price to $800, you can add an updated Parrot Skycontroller. This external flight controller can extend the WiFi-controlled flight range from 300 m to 2 km compared to using the same FreeFlight app running on a mobile device.

Many of the Bebop 2’s firmware improvements will eventually be available as an update on the original Bebop, says Make. As before, the Bebop 2 is available with a Linux SDK for app development, and developers can now turn to a new Parrot for Developers website. Although the Bebop 2 lacks some of the autonomous features of higher-end drones, a new Bebop Drone Flight Plan app lets users plot a flight route on a map and precisely define parameters such as direction, altitude, speed, camera angle, and video recording.

Parrot plans to spin off its drone unit later this year as an independent subsidiary. The drone unit, which has expanded with the acquisitions of commercial drone companies like Airinov, Pix4D, and senseFly, enjoyed a 60 percent increase in revenue from 3Q 2014 to 3Q 2015, says The Verge. Parrot also makes Android-based automotive infotainment systems, Bluetooth headsets, and other devices.

Earlier this year, Parrot joined the Linux Foundation’s Dronecode project, which is aiming to unify open source drone projects and provide a common codebase to help accelerate software development. It’s unclear, however, if the Bebop 2’s stack has been in any way aligned with Dronecode.

Drone vendors get proactive on no fly zones

This week 3DR and DJI each revealed plans to make it easier for their customers to comply with FAA mandated no-fly zones in the U.S. by integrating a dynamic airspace mapping service called AirMap. In the coming weeks, 3DR will integrate AirMap software into the flight control app for its Linux-based Solo quadcopter.

AirMap compiles the latest airspace information, and displays restricted, warning and informational areas on a map, including real-time Temporary Flight Restrictions for wildfires, sporting events, and “other sensitive places,” says 3DR. Users receive a warning if the Solo enters a restricted area.

DJI calls its AirMap-based service “Geospatial Environment Online” (GEO). DJI had previously offered geofencing features to keep drones such as the Phantom out of FAA-restricted airways. GEO, which ships in December, uses AirMap to make this a more dynamic, up-to-date system. As with the 3DR service, it now restricts the airspace around sensitive locations like prisons and power plants.

One major difference between the implementations is that while 3DR only warns the user about a potential violation, DJI actually prevents a drone from flying to a restricted area. A new feature, however, lets users override the restrictions by setting up a special account with DJI and then informing the company when they go decide to go rogue. The override feature is not available for sensitive national security locations, says DJI.

“Our years of actual user experience have shown that in most instances, strict geofencing is the wrong approach for this technology, and instead we are helping operators make informed, accountable decisions,” stated Brendan Schulman, DJI VP of Policy and Legal Affairs.

The AirMap integration by 3DR and DJI is intended to prove to the FAA that self-policing can work in place of expected airspace regulations. This week, the FAA posted an update on plans announced in September to require registration of drones. The blog post assured drone owners that registration will be easy, and will not require users to pay a drone registration company to streamline registration.

Earlier this month, DJI took a step away from its proprietary development approach by announcing a $499 Manifold development computer and open SDK that runs Ubuntu on a quad-core Tegra K1. The catch is that the Manifold currently works only with DJI’s new high-end, $3,300-and-up Matrice 100 drone. However, a similar Onboard-SDK with Linux support was also released for the Phantom 3 and the $2,900-and-up Inspire.

Yuneec is also going for a more open Linux-based design. In September, Qualcomm said the maker of Typhoon drones would be one of the first companies to use Snapdragon Flight. This drone flight control reference design runs Ubuntu on a Snapdragon 801 SoC.

Microsoft Sheds Reputation as an Easy Mark for Hackers

By
The New York Times
-

Microsoft was once the epitome of everything wrong with security in technology. Its products were so infested with vulnerabilities that the company’s co-founder, Bill Gates, once ordered all of Microsoft engineers to stop writing new code for a month and focus on fixing the bugs in software they had already built.

But in recent years, Microsoft has cleaned up its act, even impressing security specialists like Mikko Hypponen, the chief research officer for F-Secure, a Finnish security company, who used to cringe at Microsoft’s practices.

Read more at the New York Times.

Finding Recent Files

By
CTSDownloads
-

Before you suggest that it is better to use a backup program like Bacula or Amanda, I shall insist that making backups from the command-line is mighty useful. In scenarios where you are running in an embedded system (Rpi, Beaglebone), or a headless server that you want to keep a minimum install footprint on, writing a just-fits backup script can often be the correct choice.

This will be the first of a series of backup articles: we will learn various aspects of the find command, and move onto ways of using rsync and find in conjunction. I’m totally sure it will be a killer trip, man. (Read the rest at Freedom Penguin)

Microsoft’s Visual Studio Code Open-Sourced

By
LWN
-

Microsoft has announced that its Visual Studio Code tool is now available under the MIT license. “Code combines the streamlined UI of a modern editor with rich code assistance and navigation, and an integrated debugging experience – without the need for a full IDE.” The code for Code can be found in its GitHub repository.

Read more at LWN

Here’s An Early Linux 4.4 Kernel Spin To Play Around With On Ubuntu

By
Phoronix
-

Now that Linux 4.4-rc1 was released this weekend as the first development release towards Linux 4.4 with its many new features, I’m onto benchmarking it at Phoronix for articles looking at the Nouveau Kepler re-clocking changes, Radeon/Intel graphics performance too, file-system tests, and more…

Read more at Phoronix

Photon Controller Goes Open Source

By
Linux Magazine
-

VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.

Read more at Linux Magazine

Visual Studio Now Supports Debugging Linux Apps; Code Editor Now Open Source

By
ArsTechnica
-

The Visual Studio Code editor, now open source, editing TypeScript on OS X. (credit: Microsoft)

NEW YORK—Developers can now debug apps running on Linux servers or IoT devices from the comfort of Visual Studio. Microsoft today released a preview of a Visual Studio extension that adds remote debugging using GDB of Linux software.

This was one of many announcements made at Microsoft’s Connect developer event today as the company aims to give its developer platform the broadest reach it’s ever had, able to handle Android, iOS, and Linux development, alongside the more expected Azure, Office, and Windows. Visual Studio 2015 already made big strides in this direction, and Microsoft is pushing ahead to try to make Visual Studio the best development environment around.

The free and cross-platform Chromium-based code editor Visual Studio Code is being open sourced today. A new build has also been published, adding an extension mechanism to the editor. There are already some 60 extensions available, including new language support (such as Go language), richer debugging, code linters, and more.

Read 10 remaining paragraphs | Comments

Read more at Ars Technica

How To Install Microsoft Visual Studio Code on Linux

By
Vivek Gite
-

Visual Studio code (VScode) is the cross-platform Chromium-based code editor is being open sourced today by Microsoft. How do I install Microsoft Visual Studio Code on a Debian or Ubuntu or Fedora Linux desktop?

Visual Studio supports debugging Linux apps and code editor now open source by Microsoft. It is a preview (beta) version but you can test it and use it on your own Linux based desktop.

Read more…

1...959960961...10,743Page 960 of 10,743