Home United States USA — software The working dead: The security risk of dated Linux kernels

The working dead: The security risk of dated Linux kernels

275
0
SHARE

Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do…
Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?
Without doubt, Linux-based operating systems are incredibly popular: Three-quarters of IoT devices run Linux ; two-thirds of online servers ; and 70 per cent of tablets are Android (modified Linux kernel) based — Linux is everywhere!
This is partly because Linux is open source and freely available, which makes it attractive to developers who pay no licensing fees. Linux is frequently included software development kits (SDKs) by electronic-chip manufacturers. This provides developers with a reference platform to work from, and demonstrates hardware capabilities.
With a reference development platform, manufacturers can simply pick up the operating system and SDK, compile their own applications and be ready to ship new product. Unfortunately, these ready-to-go examples and operating systems are often quite old and often no longer supported.
But, why are older kernels such a problem? Who cares if your IoT toaster, or your car’s entertainment system isn’t cutting edge — right?
In a research paper from 2015 , we found that three quarters of home and small-office Internet routers were running firmware with obsolete Linux kernels. Most of these were un-patched against many vulnerabilities — that is, they were susceptible to exploitation.
So, let’s take a dive in to the basics of the Linux kernel, why it’s important, and what it does. We’ll have a look at what happens when your kernel is no longer supported, and why ageing kernels can be a serious problem for device and network security.
It’s easy to forget that fully fledged operating systems are not confined to your desktop computers and servers; operating systems are everywhere. Most of us take for granted that our car’s satellite navigation system just works, our Internet connected fridge can email us, and inflight entertainment systems don’t crash while we’re watching Keeping Up with the Kardashians.
Even though your router only has a web interface and a few blinken-lights, and your IoT children’s toy sings lullabies ( while spying on your kids ), they have many things in common. They all run an operating system, there’s a good chance those operating systems are Linux based. Nearly all of these devices can run other software applications that can do just about anything.
At the heart of your device’s operating system is the kernel. It’s the gatekeeper that controls everything. It manages hardware, user permissions, privileges, memory, software and interfaces. It’s the core of your operating system, and it’s critical that it’s secure.
The kernel is there to make things easy. It makes interactions between components more abstract, which means software developers don’t need to know about the inner workings of hardware or RAM to be able to create software that writes to a file, for example.

Continue reading...