Can Linux ever be completely Secure?
Top security engineers for Linux addressed the question whether it is possible to achieve total security for this operating system, which is, as readers will be aware, open source. At this week's Red Hat summit, the question how Red Hat intends to go about building/ developing Linux into a secure operating system was both asked and answered by the head of Red Hat's Product Security Team, Josh Bresser.
According to Bresser's explanation, both automated and manual quality assurance activities are involved in security processes. These processes are reinforced by SELinux, which was described as Linux Security's 'silver bullet' by Red Hat's senior principal software engineer Dan Walsh.
Describing SELinux as an 'unbelievable' code capable of seeing if someone somewhere is doing something stupid, Walsh explained that SELinux provides so-called mandatory access controls. Originally a development by the NSA, SELinux has been a part of Enterprise Linux since the release of v. 4.0.
Open source software is by definition open. This means that unlike proprietary software, open source codes, whether bad, good or indifferent, are there for anyone to see. This makes eliminating security risks entirely a more or less unsolvable issue. As Josh Bresser said, as long as code is written by humans, it is likely that there will be bugs of some kind or another. With codes being exposed to all, it is virtually impossible to 'sneak in' bug fixes.
Naturally, the fact that nothing can be 'sneaked in' provides a great deal of transparency, but at the same time, Linux may appear worse as far as security is concerned when comparing it to proprietary OS software. As it is, while not all security flaws can be eliminated, specific flaw classes can be removed. Bresser is, for instance, optimistic about Red Hat's ability to successfully eliminate vulnerabilities related to stack overflow. Newer GCC compiler versions offer a certain degree of protection to developers to ensure compiled code does not feature such issues.
The company is also attempting to limit potential risks via additional sand-boxing of applications that are running. As Dan Walsh noted, it is already possible for applications to be required to 'live' in their very own sand-box areas. He added that Red Hat is really trying to establish multiple hurdles for hackers to overcome. Bresser added that it is impossible to fix people. As he put it, it is possible to train out some of the stupid, but mistakes can and will continue to happen. The idea is to develop tools that will catch such mistakes and deal with them as quickly as possible.
© Copyright 2019