It was discovered that Linux developers were having a lot of trouble with 'Intel's disclosure of vulnerability information was too late'



Linux developers Greg Croix-Hartmann on vulnerability information of "Spectre" and "Meltdown" that existed in Intel CPU at " Open Source Summit 2018 " held in the United States from August 29, 2018 on the United States , "It was hard for many Linux developers to think that Intel's disclosure was too late," he said.

Linux Kernel Developer Criticizes Intel's Meltdown Disclosure
http://www.eweek.com/security/linux-kernel-developer-criticizes-intel-for-meltdown-spectre-response

Mr. Clo-Hartman is known as one of the world's leading Linux kernel developers, formerly belonging to the SUSE Linux research department at Novell, but since 2012 it has been a nonprofit organization " The I am enrolled in the Linux Foundation .

Specter and Meltdown, Intel CPU vulnerabilities, were discovered by Google's development team in July 2017. The team immediately reported that Intel has vulnerabilities. Under normal circumstances, after confirming the details of the vulnerability reporting company, the vulnerability information is provided to the vendor of the affected OS and the creator of the security patch is requested. However, Intel at that time seems to have not responded especially after checking the details of the vulnerability.

Then, in October 2017, Raw Hatman who knew of the vulnerability in rumors requested Intel to disclose the vulnerability information, and the provided vulnerability information was transmitted to Linux such as RedHat, Novell, and Oracle We collaborated with vendors and development communities. With this correspondence, many Linux vendors were forced to respond to security patch creation during New Year's holidays, and many developers got angry at Intel.



It is unavoidable that a Linux vendor's long vacation will be broken by creating an urgent security patch. However, despite the existence of the vulnerability being disclosed beforehand, Intel was buying a big anger from Linux developers as it was a matter that the disclosure of information was too late It was.

After this correspondence, Mr. Craw-Hartman who talked with Intel said, "After telling Intel about the anger of Linux developers, I fixed the problem of vulnerability disclosure process," the same as this time It is said that such a situation never reoccurs. In fact, a vulnerability of " Foreshadow " was discovered from Intel CPU in August 2018, he said "Since Intel notified according to a predetermined process, each Linux vendor and development community cooperated "We explained that the corrective process is functioning correctly.

Claw = Hartman says, "Although vulnerabilities of Specter and Meltdown caused many Linux developers to feel unhappy, there were also good points." The discovered vulnerability affected not only Linux but also Windows, so that Windows and Linux developers have come to communicate with each other with this correspondence. "It is very wonderful to have cooperation among different OS developers," says Klee Hartman.



He also points out that "technical issues remain." The security patches of Specter and Meltdown have been applied to the supported Linux kernel at the time of article creation, but they are not applied to unsupported kernels. Therefore, if OS update can not be done due to some circumstances, and you have to keep using old OS, "You can only take measures to remember that suspicious programs will not be executed," Mr. Claw - Hartman I am talking.

The vulnerability can be found more and more later and it tends to be an ad hoc response by all means. However, as of 2018, it is a fact that many studies are being conducted in order to stop this trend. Mr. Claw = Hartman says, "In order to stop this flow, security-specific compiler that automatically removes or corrects a weak code pattern in a program is required, and now it is required for Specter and Meltdown A way to detect vulnerabilities from within code has been studied, and compiler implementation is gradually approaching. "

in Software,   Security, Posted by darkhorse_log