Kees Cook, tsohon babban mai kula da tsarin kernel.org kuma shugaban Ƙungiyar Tsaro ta Ubuntu wanda yanzu ke aiki a Google don tabbatar da Android da ChromeOS, ya nuna damuwa game da tsarin da ake yi na gyara kwari a cikin rassan kernel. A kowane mako, kusan ɗari gyare-gyare suna haɗawa a cikin rassan rassan, kuma bayan taga don karɓar canje-canje a cikin saki na gaba ya rufe, yana kusantar dubu (masu kula suna riƙe da gyaran har sai taga ya rufe, kuma bayan samuwar " -rc1" suna buga abubuwan da aka tara a lokaci ɗaya), wanda ya yi yawa kuma yana buƙatar aiki mai yawa don samfuran kulawa bisa tushen Linux kernel.
A cewar Keys, tsarin aiki tare da kurakurai a cikin kwaya ba a ba da kulawar da ta dace ba kuma kernel ɗin ba ta da ƙarin ƙarin masu haɓakawa aƙalla 100 don aikin haɗin gwiwa a wannan yanki. Babban masu haɓaka kernel suna gyara kwari akai-akai, amma babu tabbacin cewa za a kai waɗannan gyare-gyare zuwa bambance-bambancen kwaya da wasu ke amfani da su. Masu amfani da samfura daban-daban dangane da kernel na Linux suma ba su da hanyar da za su iya sarrafa waɗanne kwari ne aka gyara da kuma wace kernel ake amfani da su a cikin na'urorinsu. A ƙarshe, masana'antun suna da alhakin amincin samfuran su, amma tare da tsananin ƙarfin buga gyare-gyare a cikin rassan kwaya mai ƙarfi, sun fuskanci zaɓi - tashar jiragen ruwa duk gyare-gyare, zaɓi tashar jiragen ruwa mafi mahimmanci, ko watsi da duk gyare-gyare. .
Mafi kyawun mafita shine yin ƙaura kawai mafi mahimmancin gyare-gyare da lahani, amma ware irin waɗannan kurakurai daga kwararar gabaɗaya ita ce babbar matsala. Mafi yawan matsalolin da ke tasowa shine sakamakon amfani da harshen C, wanda ke buƙatar kulawa mai mahimmanci lokacin aiki tare da ƙwaƙwalwar ajiya da masu nuni. Don yin muni, yawancin yuwuwar facin rashin lahani ba a samar da mai gano CVE ba, ko kuma an sanya masu gano CVE ɗan lokaci bayan an buga facin. A cikin irin wannan yanayi, yana da matukar wahala ga masana'antun su raba ƙananan gyare-gyare daga mahimman batutuwan tsaro. Dangane da kididdigar, fiye da kashi 40% na raunin da aka gyara ana gyara su kafin a ba da CVE, kuma a matsakaicin jinkiri tsakanin sakin gyara da aikin CVE shine watanni uku (watau, da farko ana ganin gyaran kamar yadda ya dace). kwaro na yau da kullun, amma bayan wasu watanni da yawa ya bayyana a fili cewa an daidaita raunin).
Sakamakon haka, ba tare da reshe daban ba tare da gyare-gyare don raunin rauni kuma ba tare da samun bayanai game da haɗin tsaro na wata matsala ba, ana barin masana'antun samfuran da suka dogara da kernel na Linux don ci gaba da canja wurin duk gyare-gyare daga sabbin rassan barga. Amma wannan aikin yana buƙatar aiki mai yawa kuma yana fuskantar juriya a cikin kamfanoni saboda tsoron bullar sauye-sauyen da za su iya rushe aikin yau da kullun na samfurin.
Bari mu tuna cewa bisa ga Linus Torvalds, duk kurakurai suna da mahimmanci kuma bai kamata a raba raunin da sauran nau'ikan kurakurai ba kuma a ware su zuwa wani babban fifiko na daban. An bayyana wannan ra'ayi ta gaskiyar cewa ga mai haɓakawa na yau da kullun wanda ba ya ƙware a cikin lamuran tsaro, haɗin kai tsakanin gyarawa da yuwuwar rauni ba a bayyane yake ba (don gyare-gyare da yawa, kawai dubawa na daban ya sa ya yiwu a fahimci cewa sun shafi tsaro ). A cewar Linus, ƙwararrun tsaro daga ƙungiyoyin da ke da alhakin kiyaye fakitin kernel a cikin rarrabawar Linux yakamata su shiga cikin gano yuwuwar lallausan da ke tattare da facin gaba ɗaya.
Kees Cook ya yi imanin cewa kawai mafita don kiyaye tsaro na kwaya a farashi mai ma'ana na dogon lokaci shine kamfanoni su motsa injiniyoyin da ke da hannu wajen jigilar kaya zuwa kwaya na gida zuwa cikin haɗin gwiwa, ƙoƙarin daidaitawa don kiyaye gyare-gyare da lahani a cikin babban kwaya (a sama). ). A cikin tsarin sa na yanzu, masana'antun da yawa ba sa amfani da sabbin nau'ikan kwaya a cikin samfuran su kuma suna mayar da gyare-gyare a cikin gida, watau. Ya zama cewa injiniyoyi a kamfanoni daban-daban suna kwafin aikin juna, suna magance matsala iri ɗaya.
Misali, idan kamfanoni 10, kowanne da injiniya guda daya ke ba da gyare-gyare iri ɗaya, suka sake sanya waɗancan injiniyoyin don gyara kurakurai a sama, maimakon mayar da gyara guda ɗaya, za su iya gyara ƙwaro 10 daban-daban don amfanin gama gari ko shiga cikin yin bitar canje-canjen da aka tsara kuma su hana buggy code. daga kasancewa a cikin kwaya. Hakanan za'a iya keɓance albarkatu don ƙirƙirar sabbin kayan aiki don gwaji da nazarin lamba wanda zai ba da damar gano farkon nau'ikan kurakurai waɗanda ke tasowa akai-akai.
Kees Cook kuma yana ba da shawarar ƙarin ƙwazo ta amfani da gwaji mai sarrafa kansa da mai ban mamaki kai tsaye a cikin tsarin haɓaka kernel, ta amfani da tsarin haɗin kai mai ci gaba da yin watsi da sarrafa ci gaban archaic ta imel. A halin yanzu, gwaji mai inganci yana da matsala ta gaskiyar cewa manyan hanyoyin gwaji sun rabu da haɓakawa kuma suna faruwa bayan an ƙirƙira su. Hakanan maɓallai sun ba da shawarar yin amfani da yarukan da ke ba da babban matakin tsaro, kamar Tsatsa, lokacin haɓaka don rage yawan kurakurai.
source: budenet.ru