Kees Cook, yemwe kale anali kernel.org CSO komanso mtsogoleri wa Ubuntu Security Team, yemwe tsopano akugwira ntchito ku Google kuti ateteze Android ndi ChromeOS, adawonetsa kukhudzidwa kwazomwe zikuchitika pakukonza nsikidzi m'nthambi zokhazikika za kernel. Sabata iliyonse, pafupifupi zana lokonzekera limaphatikizidwa munthambi zokhazikika, ndipo mutatha kutseka zenera kuti muvomereze kusintha kumasulidwa kotsatira, imayandikira chikwi (osamalira amasunga mpaka zenera litatsekedwa, ndipo pambuyo pa kupanga "-rc1" iwo sindikizani zomwe zasonkhanitsidwa nthawi imodzi), zomwe ndizochuluka kwambiri ndipo zimafuna ntchito yambiri yokonza zinthu zochokera ku Linux kernel.
Malinga ndi Keys, njira yogwirira ntchito ndi zolakwika mu kernel sichimapatsidwa chisamaliro choyenera ndipo kernel ilibe osachepera 100 owonjezera owonjezera pa ntchito yogwirizana m'derali. Opanga ma kernel apakati amakonza nsikidzi pafupipafupi, koma palibe chitsimikizo kuti zosinthazi zidzaperekedwa kumitundu yosiyanasiyana yomwe imagwiritsidwa ntchito ndi anthu ena. Ogwiritsa ntchito zinthu zosiyanasiyana zochokera ku Linux kernel alibenso njira yothanirana ndi nsikidzi zomwe zimakhazikika komanso kernel yomwe imagwiritsidwa ntchito pazida zawo. Ogulitsa amakhala ndi udindo woteteza zinthu zawo, koma chifukwa chokhala ndi chiwongolero chokwera kwambiri m'nthambi zokhazikika za kernel, adakumana ndi chisankho pakati pa kubweza zigamba zonse, kusankha chofunikira kwambiri, kapena kunyalanyaza zigamba zonse.
Njira yothetsera vutoli ingakhale kusamuka zokhazokha zofunikira kwambiri ndi zowonongeka, koma kupatula zolakwika zotere kuchokera kumayendedwe ambiri ndilo vuto lalikulu. Mavuto ambiri omwe amabwera chifukwa chogwiritsa ntchito chilankhulo cha C, chomwe chimafunika kusamala kwambiri pochita ndi kukumbukira ndi zolozera. Choyipa kwambiri, kukonza zambiri zomwe zitha kukhala pachiwopsezo sizimaperekedwa ndi zizindikiritso za CVE, kapena kulandira chizindikiritsocho pakapita nthawi chigambacho chikasindikizidwa. Pansi pazimenezi, zimakhala zovuta kwambiri kuti opanga alekanitse zokonza zazing'ono kuchokera kuzinthu zazikulu zachitetezo. Malinga ndi ziwerengero, zofooka zopitilira 40% zimakhazikika CVE asanapatsidwe, ndipo kuchedwa kwapakati pakati pa kutulutsidwa kwa chigamba ndi kupatsidwa kwa CVE ndi miyezi itatu (ie, poyamba, chigambacho chimawonedwa ngati chofala. cholakwika, koma pakangopita miyezi ingapo zimaonekeratu kuti chiwopsezocho chakonzedwa).
Chotsatira chake, popanda kukhala ndi nthambi yosiyana ndi zokonzekera zowonongeka komanso popanda kulandira chidziwitso chokhudzana ndi chitetezo cha vuto linalake, opanga zinthu zochokera ku Linux kernel amasiyidwa kuti asamutse zokonza zonse kuchokera kunthambi zatsopano zokhazikika. Koma ntchitoyi imafuna khama lalikulu ndipo imakumana ndi kukana m'makampani chifukwa choopa kusintha kosinthika komwe kungasokoneze magwiridwe antchito a chinthucho.
Kumbukirani kuti, malinga ndi Linus Torvalds, zolakwa zonse ndi zofunika ndipo zofooka siziyenera kulekanitsidwa ndi mitundu ina ya zolakwika ndikupatsidwa gawo lina lofunikira kwambiri. Lingaliro ili likufotokozedwa ndi mfundo yakuti kwa wopanga mapulogalamu wamba yemwe sadziwa zambiri za chitetezo, kugwirizana pakati pa kukonza ndi chiwopsezo chomwe chingathe kukhala pachiwopsezo sichikuwonekera (pazokonza zambiri, kufufuza kosiyana kokha kumakulolani kumvetsetsa kuti zikugwirizana ndi chitetezo. ). Malinga ndi Linus, zili m'magulu achitetezo omwe ali m'magulu omwe ali ndi udindo wosunga ma kernel pagawidwe la Linux kuti alekanitse ziwopsezo zomwe zingachitike pakuyenda kwachigamba.
Kees Cook akukhulupirira kuti njira yokhayo yotetezera kernel pamtengo wokwanira wanthawi yayitali ndikuti makampani asunthire mainjiniya omwe akutenga nawo gawo ku kernel builds kuti azigwira ntchito mogwirizana komanso mogwirizana kuti asunge zigamba ndi ziwopsezo zakumtunda kwa kernel. M'mawonekedwe ake apano, opanga ambiri sagwiritsa ntchito mtundu waposachedwa wa kernel muzogulitsa zawo ndikukonzanso kwa backport pawokha, i.e. zikuwoneka kuti mainjiniya m'makampani osiyanasiyana amatengera ntchito za wina ndi mnzake, ndikuthetsa vuto lomwelo.
Mwachitsanzo, ngati makampani 10, aliyense ali ndi injiniya m'modzi wochirikiza zokonza zomwezo, amawalozera mainjiniyawo kuti akonze zolakwika kumtunda, ndiye kuti m'malo mongokonza chimodzi, atha kukonza zolakwika 10 kuti zithandizire wamba kapena kujowinanso zosintha zomwe akufuna. letsa buggy code kuti isaphatikizidwe mu kernel. Zothandizira zitha kuperekedwanso popanga zida zatsopano zoyesera ndi kusanthula ma code, zomwe zingalole kuti azitha kuzindikira zolakwa zomwe zimangobwera mobwerezabwereza.
Kees Cook akuwonetsanso kugwiritsa ntchito mwachangu kuyesa kodziwikiratu komanso kusokoneza mwachindunji pakupanga chitukuko, kugwiritsa ntchito njira zophatikizira mosalekeza komanso kusiya kasamalidwe kachitukuko akale kudzera pa imelo. Pakalipano, kuyesa kogwira mtima kumalephereka chifukwa chakuti njira zazikulu zoyesera zimasiyanitsidwa ndi chitukuko ndipo zimachitika pambuyo popanga kumasulidwa. Ma Keys adalimbikitsanso kugwiritsa ntchito zilankhulo zotetezeka, monga Dzimbiri, kuti muchepetse ziphuphu.
Source: opennet.ru