Posts

This week in open source news, Automotive Grade Linux is evidence of the auto industry merging with tech entirely, Hitachi steps up its open source game, and more! Read on to catch up on this busy week in OSS tech news. 

1) “Whether the car companies like it or not their industry is becoming a tech industry” writes Rob Enderle in a summary of a recent meeting with Dan Cauchy of Automotive Grade Linux.

Why Car Companies Need to Become Tech Companies– CIO

2) Hitachi increases its Linux Foundation participation. The company is also a member of many of the foundation’s projects including Automotive Grade Linux, Civil Infrastructure Platform, Cloud Foundry Foundation, Core Infrastructure Initiative, Hyperledger, and OpenDaylight.

Hitachi Steps Up Open Source Game With Linux Foundation– Data Economy

3) “Microsoft Azure customers looking for another Linux operating system (OS) option for their cloud workloads have another alternative to weigh this week.”

Intel’s Cloud-Friendly Clear Linux Hits Microsoft Azure– eWeek

4) Arpit Joshipura, new new general manager for networking and orchestration at The Linux Foundation, discusses where OSS networking needs to be taken.

Q&A with Arpit Joshipura, Head of Networking for The Linux Foundation– SDxCentral

This week in Linux and open source headlines, Canonical’s Mark Shuttleworth opens up about spawning new opportunities with the interoperability of various areas of OSS, Steven J. Vaughan-Nichols urges the Linux community to roll up their sleeves in 2017, and more! Read on to stay on the forefront of open source news:

1) “When sensors, data, machine learning and the cloud collide, new kinds of opportunity can emerge.”

Open Source Pioneer Mark Shuttleworth Says Smart “Edge’ Devices Spawn Business Models– The Wall Street Journal

2) Linux turned 25 last year– but that doesn’t mean OSS is done proving itself. 

Linux 2017: With Great Power Comes Great Responsibility– ZDNet

3) “Endless is launching its first products designed specifically for the United States.”

Endless Introduces Linux Mini Desktop PCs for American Market– Liliputing

4) The Linux Foundation’s Hyperledger Project has formed a new working group to reach out to Chinese members, which make up over a quarter or their base. 

Hyperledger Blockchain Project Announces ‘Technical Working Group China’ Following Strong Interest– Cryptocoins News

5) “AT&T is an open-source software company now  — I just have to pinch myself.” said Jim Zemlin at CES.

The Linux Foundation is Still Adjusting to AT&T’s Embrace of Open Source– GeekWire

This week in Linux and OSS news, Microsoft joins the Linux Foundation as a Platinum Member; a powerful move that signifies its commitment to open source, 498 out of 500 supercomputers run Linux, and more! This week was a big one for open source. Make sure you’re caught up with our weekly digest.

1) Microsoft has joined The Linux Foundation as a Platinum Member, ushering in a new era of open source community building.

Microsoft Goes Linux Platinum, Welcomes Google To .NET Foundation– Forbes

Microsoft—Yes, Microsoft—Joins The Linux Foundation– Ars Technica

2) “With 498 out of 500 supercomputers running Linux, it is evident that this operating system provides the capability and security such machines direly need.”

Nearly Every Top 500 Supercomputer Runs On Linux– The Merkle

3) The Core Infrastructure Initiative renews financial support for The Reproducible 

Builds Project, which ensures binaries produced from open source software projects are tamper-free.

Linux Foundation Doubles Down on Support for Tamper-Free Software– InfoWorld

4) Beyond it’s cost-effectiveness, officials around the world view it as a means of speeding up innovation in the public sector.

Open Source in Government IT: It’s About Savings But That’s Not the Whole Story– ZDNet

5) Enter key vulnerability reveals “major Linux security hole gaps.”

Press the Enter Key For 70 Seconds To Bypass Linux Disk Encryption Authentication– TechWorm

This week in Linux and open source news, R3 has made its blockchain platform’s code public, a newly identified vulnerability threatens Android phones, and more! Keep your finger on the pulse of OSS with this weekly digest.

1) Corda’s code will be contributed to the Hyperledger Project.

R3 Blockchain Code Goes Open Source– Banking Technology

2) Rowhammer attack targets an Android phone’s dynamic random access memory.

Elegant Physics (and Some Down and Dirty Linux Tricks) Threaten Android Phones– WIRED

3) “SUSE announces plans for server and storage versions of Linux supporting 64-bit ARM SoCs.”

SUSE Preps Linux for ARM Servers– EE TImes

4) Dirty COW: A nine-year-old bug in the Linux kernel has been recently revealed.

“Dirty COW” Is The Most Dangerous Linux Privilege-Escalation Bug Ever, Experts Say– FOSSbytes

5) “The same internal, deep learning tools that Microsoft engineers used to build its human-like speech recognition engine, as well as consumer products like Skype Translator and Cortana, are now available for public use.”

Microsoft makes its deep learning tools available to all– Engadget

“Dirty COW” is a serious Linux kernel vulnerability that was recently discovered to have been lurking in the code for more than nine years. It is pretty much guaranteed that if you’re using any version of Linux or Android released in the past decade, you’re vulnerable. But what is this vulnerability, exactly, and how does it work? To understand this, it’s helpful to illustrate it using a popular tourist scam.

The con

Have you ever played the game of shells? It’s traditionally played with a pea and three walnut shells — hence the name — and it is found on touristy street corners all over the world. Besides the shells themselves, it also involves the gullible “mark” (that’s you), the con artist (that’s the person moving the shells), and, invariably, one or several scammer’s assistants in the crowd pretending to be fellow tourists. At first, the accomplices “bait” the crowd by winning many bets in a row, so you assume the game is pretty easy to win — after all, you can clearly see the ball move from shell to shell, and it’s always revealed right where you thought it would be.

So, you step forward, win a few rounds, and then decide to go for a big bet, usually goaded by the scammers. At just the right time you’re momentarily distracted by the scammer’s assistants, causing you to look away for a mere fraction of a second — but that’s enough for the scammer to palm the pea or quickly move it to another shell. When you call your bet, the empty shell is triumphantly revealed and you walk away relieved of your cash.

The race

In computing terms, you just experienced a “race condition.” You saw the ball go under a specific shell (checked for required condition), and therefore that’s the one you pointed at (performed the action). However, unknown to you, between the check and the action the situation has changed, causing the initial condition to no longer be true. In real life, you were probably only out of a couple of hundred bucks, but in computing world race conditions can lead to truly bad outcomes.

Race conditions are usually solved by requiring that the check and the action are performed as part of an atomic transaction, locking the state of the system so that the initial condition cannot be modified until the action is completed. Think of it as putting your foot on the shell right after you see the pea go under it — to prevent the scammer from palming or moving it while you are distracted (though I don’t suggest you try this unless you’re ready to get into a fistfight with the scammer and their accomplices).

The COW

Unfortunately, one such race condition was recently discovered in the part of the Linux Kernel that is responsible for memory mapping. Linux uses the “Change on Write” (COW) approach to reduce unnecessary duplication of memory objects. If you are a programmer, imagine you have the following code:

a = ‘COW’

b = a

Even though there are two variables here, they both point at the same memory object — since there is no need to take up twice the amount of RAM for two identical values. Next, the OS will wait until the value of the duplicate object is actually modified:

b += ‘ Dirty’

At this point, Linux will do the following (I’m simplifying for clarity):

  1. allocate memory for the new, modified version of the object

  2. read the original contents of the object being duplicated (‘COW’)

  3. perform any required changes to it (append ‘ Dirty’)

  4. write modified contents into the newly allocated area of memory

Unfortunately, there is a race condition between step 2 and step 4 which tricks the memory mapper to write the modified contents into the original memory range instead of the newly allocated area, such that instead of modifying memory belonging to “b” we end up modifying “a”.

The paydirt

Just like any other POSIX system, Linux implements “Discretionary Access Controls” (DAC), which relies on a framework of users and groups to grant or deny access to various parts of the OS. The grant permission can be read-only, or read-write. For example, as a non-privileged user you should be able to read/bin/bash” in order to start a shell session when you log in, but not write to it. Only a privileged account (e.g. “root”) should be able to modify this file — otherwise any malicious user could replace the bash binary with a modified version that, for example, logs all passwords or starts up a backdoor.

The race condition described above allows the attacker to bypass this permissions framework by tricking the COW mechanism to modify the original read-only objects instead of their copies. In other words, a carefully crafted attack can indeed replace “/bin/bash” with a malicious version by an unprivileged user. This vulnerability has been assigned both the boring name (“CVE-2016-5195”), and the now-customary branded name of “Dirty COW.”

The really bad news is that this race condition has been present in the kernel for over 9 years, which is a very long time when it comes to computing. It is pretty much guaranteed that if you’re using any version of Linux or Android released in the past decade, you’re vulnerable.

The fix

Triggering this exploit is not as trivial as running a simple “cp” operation and putting any kind of modified binary in place. That said, given enough time and perseverance, we should assume that attackers will come up with cookie-cutter exploits that will allow them to elevate privileges (i.e. “become root”) on any unpatched system where they are able to freely execute arbitrary code. It is imperative that all Linux systems are patched as soon as possible — and a full reboot will be required, unless you have some kind of live patching solution available to you (if you don’t already know whether you can live-patch, then you probably cannot, as it’s not a widely used technology yet).

There is a fix available in the upstream kernel, and, at the time of writing this article, the distributions are starting to release updated packages. You should be closely monitoring your distribution’s release alerts and apply any outstanding kernel errata as soon as it becomes available. The same applies to any Android devices you may have.

If you cannot update and reboot your system right away, there are some mitigation mechanisms available to you while you wait (see this Red Hat Bugzilla entry for more details). It is important to note that the STAP method will only mitigate against known proof of concept exploits and is not generic enough to be considered a good long-term fix. Unfortunately, “Dirty COW” is not the kind of bug that can be prevented (much) by SELinux, AppArmor or any other RBAC solution, nor is it mitigated by PaX/GrSecurity hardening patches.

The takeaway

As I said earlier, in order to exploit the “Dirty COW” bug, the attacker must first be able to execute arbitrary code on the system. This, in itself, is bad enough — even if an attacker is not able to gain immediate root-level privilege, being able to execute arbitrary code gives them a massive foothold on your infrastructure and allows them a pivot point to reach your internal networks.

In fact, you should always assume that there are bad bugs lurking in the kernel that we do not yet know about (but the attackers do). Kees Cook in his blog about security bug lifetimes points out that vulnerabilities are usually fixed long after they are first introduced — many of them lurking in the code for years. Really bad bugs the caliber of the “Dirty COW” are worth hundreds of thousands of dollars on the black market, and you should always assume that an attacker who is able to execute arbitrary code on your systems will eventually be able to escalate their privileges and gain root access. Efforts like the “Kernel Self Protection Project” can help reduce the impact of some of these lurking bugs, but not all of them — for example, race conditions are particularly tricky to guard against and can be devastating in their scope of impact.

Therefore, any mitigation for the “Dirty COW” and other privilege escalation bugs should really be considered a part of a comprehensive defense-in-depth strategy that would work to keep attackers as far away as possible from being able to execute arbitrary code on your systems. Before they even get close to the kernel stack, the attackers should have to first defeat your network firewalls, your intrusion prevention systems, your web filters, and the RBAC protections around your daemons.

Taken altogether, these technologies will provide your systems with a great deal of herd immunity to ensure that no single exploit like the “Dirty COW” can bring your whole infrastructure to its tipping point.

Learn more about how to secure Linux systems through The Linux Foundation’s online, self-paced course Linux Security Fundamentals.

This week in open source and Linux news, The executive director of The Hyperledger Project explains how blockchain can help refugees identify themselves, Nasdaq group to provide OSS platform to investors, and more! Read on to get caught up on the most important recent news!

1) Brian Behlendorf of The Linux Foundation’s Hyperledger Project speaks on the helpful importance of blockchain to refugee identification. 

Blockchain Technology Can Help Save the Lives of Millions of Refugees by Giving Them a Verified Identity– Quartz

2) A “business arm of Nasdaq, Inc” is providing a new open source platform to investor relations professionals.

Nasdaq Corporate Solutions Unveils Open Source Platform for Investor Relations– Finance Magnates

3) A new partnership between Red Hat & Ericsson to center around OpenStack, NFV infrastructure, software-defined networking, software-defined infrastructure and containers

Red Hat and Ericsson Sign Open Source Deal– NetworkWorld

4) Windows 10 Redstone 2 features major improvements for Linux users.

Microsoft Updates the Windows Subsystem for Linux with Ubuntu 16.04 Support– Softpedia

5) The JS Foundation is now a Linux Foundation collaborative project

The Linux Foundation Strives to Unite Open-Source JavaScript Community– ZDNet

1) An overview of Linux’s history reveals circumstance, innovation, and cross-platform demand resulted in its massive success and legacy. 

Linux Took Over the Web. Now, It’s Taking Over the World– WIRED

2) The 2016 Linux Kernel Development Report has been released and reveals profitability.

Another Day, Another 4,600 Lines of Linux Kernel Code– InfoWorld

3) “Just 7.7% of devs are unpaid—because Linux development is worth paying for.”

Linux turns 25, is Bigger and More Professional Than Ever– Ars Technica

4) At LinuxCon North America this week, Linux Foundation Executive Director Jim Zemlin looks back on 25 years of Linux. 

How Linux Conquered the World Without Anyone Noticing– CIO

5) “Thanks to a multi-year tradition, it is rather easy to predict when an improved version of Linux is about to roll out.”

Happy Birthday, Linux! 25 Years Of Changing The World With Code, Growing Stronger Than Ever– TechTimes

The Linux kernel community came close this year to setting a new record for the number of changes merged in a single release, according to the latest Linux Kernel Development report released today by The Linux Foundation.

Kernel version 4.6 saw an astounding 13,517 patches merged in 63 days — just shy of the record set by version 3.15 at 13,722 patches on June 8, 2014.

But, changes to the kernel kept up their breakneck pace over the past 15 months, with more than 3 million lines of code added to the Linux kernel at a rate of 7.8 changes per hour.

“The ability to sustain this rate of change for years is unprecedented in any previous public software project,” according to the report.

The seventh edition of this report details the developers contributing to the kernel, the companies they work for, and the most significant changes made to the code and the development process since kernel version 3.18. The data mostly covers development since the last report was released in March 2015 — versions 3.19 to 4.7 — but some statistics go back to 2005 when development moved to the Git repository, and even back to Linus Torvalds’ first release in 1991.  

Celebrating the 25th Anniversary of Linux

This year the report also reflects on 25 years of Linux kernel development as the Linux and open source community gathers at LinuxCon North America in Toronto Wednesday night for a gala celebration commemorating the day Linus Torvalds first released Linux on Aug. 25, 1991.

At almost 22 million lines of code and a new release happening every 9-10 weeks, the Linux kernel is one of the largest, fastest moving open source projects in the history of technology. It’s also one of the most important as the core of the Linux operating system, which runs most of modern technology — from Android phones and Chromebooks, to nuclear submarines, the space station, global stock exchanges, and much more.

What started as Torvalds’ passion project has evolved over the past 25 years into a collective effort to build and maintain the code by thousands of developers employed by hundreds of companies.

“Clearly, the kernel developers are doing something right,” reads the report. “This report provides an update on what those developers have been doing and why they continue to be successful.”

Here are some of the highlights from the report, compiled from Git and analyzed by LWN Editor Jon Corbet and Linux kernel maintainer and Linux Foundation Fellow Greg Kroah-Hartman. Download the full report for more in-depth data and analysis.

2015-2016 Linux Kernel Development Highlights

From the report:

  • Almost 115,000 changesets have been merged since the 3.18 release on Dec. 7, 2014.

  • Contributions came from 5,062 individual developers representing nearly 500 corporations.  

  • 2,355 of those developers were first-time contributors

  • New features include support for live patching of the kernel, support for persistent-memory devices, encrypted storage for the ext4 filesystem, numerous networking enhancements with a focus on IPv6 and data-center improvements, and much more.

  • The “zero-day build and boot robot” testing system found nearly 400 bugs (all of which were fixed).

  • The busiest development cycle was kernel 4.6 with 13,517 patches merged — just shy of the record set by version 3.15 at 13,722 patches.

The top 10 developers contributing changes to the kernel were:

Name                         Number of changes
H Hartley Sweeten            1,456
Geert Uytterhoeven           1,036
Arnd Bergmann                  877
Al Viro                        782
Takashi Iwai                   735
Lars-Peter Clausen             729
Mauro Carvalho Chehab          714
Ville Syrjälä                  707
Linus Walleij                  661
Dan Carpenter                  631

The top 10 companies, which employ kernel developers to contribute to the Linux kernel, make up nearly 57 percent of the total changes to the kernel. The category “none,” which represents volunteer developers who aren’t paid by any company, fell to the No. 3 spot this year from No. 1 in the last report issued in 2015. And Renesas moved up in the rankings from No. 13, replacing Texas Instruments at No. 10.  A large portion of development continues to be developers of unknown corporate affiliation, who typically contribute 10 or fewer changes.

Company                Changes    Percent of total
Intel                  14,384     12.9%
Red Hat                 8,987      8.0%
None                    8,571      7.7%
Unknown                 7,582      6.8%
Linaro                  4,515      4.0%
Samsung                 4,338      3.9%
SUSE                    3,619      3.2%
IBM                     2,995      2.7%
Consultants             2,938      2.6%
Renesas Electronics     2,239      2.0%

 

Download the full report: “Linux Kernel Development: How Fast It is Going, Who is Doing It, What They Are Doing and Who is Sponsoring the Work”