U-Kees Cook, owayesakuba ngumlawuli wenkqubo eyintloko ye-kernel.org kunye nenkokeli yeQela loKhuseleko lwe-Ubuntu ngoku esebenza e-Google ukukhusela i-Android kunye ne-ChromeOS, ubonise inkxalabo malunga nenkqubo yangoku yokulungisa iibhugi kumasebe azinzileyo e-kernel. Rhoqo ngeveki, malunga nekhulu lokulungiswa kufakwe kumasebe azinzileyo, kwaye emva kokuba ifestile yokwamkela utshintsho ekukhutshweni okulandelayo ivaliwe, isondela kwiwaka (abagcini babambe izilungiso de ifestile ivalwe, kwaye emva kokusekwa " -rc1β bapapasha ezo ziqokelelweyo ngaxeshanye), zininzi kakhulu kwaye zifuna umsebenzi omninzi kwiimveliso zolondolozo ezisekelwe kwi-Linux kernel.
Ngokutsho kwe-Keys, inkqubo yokusebenza ngeempazamo kwi-kernel ayinikwa ngqalelo efanelekileyo kwaye i-kernel ayinayo ubuncinane abaphuhlisi be-100 abongezelelweyo bomsebenzi olungelelanisiweyo kule ndawo. Abaphuhlisi abaphambili be-kernel bahlala belungisa iziphene, kodwa akukho siqinisekiso sokuba olu lungiso luya kugqithiselwa kwiintlobo zekernel ezisetyenziswa liqela lesithathu. Abasebenzisi beemveliso ezahlukeneyo ezisekwe kwi-Linux kernel nabo abanayo indlela yokulawula ukuba zeziphi iibugs ezilungisiweyo kwaye yeyiphi ikernel esetyenziswa kwizixhobo zabo. Ekugqibeleni, abavelisi banoxanduva lokhuseleko lweemveliso zabo, kodwa ngoxinzelelo oluphezulu kakhulu lokulungiswa kopapasho kumasebe e-kernel ezinzileyo, babejongene nokukhetha - bafake zonke izilungiso, bakhethe ezona zibalulekileyo, okanye bangazihoyi zonke izilungiso. .
Esona sisombululo sisona siya kuba kukufuduka kuphela ezona zilungiso zibalulekileyo kunye nobuthathaka, kodwa ukwahlula ezo mpazamo kuhambo jikelele yeyona ngxaki iphambili. Elona nani likhulu leengxaki ezivelayo zisisiphumo sokusebenzisa ulwimi lwe-C, olufuna ukunyameka okukhulu xa usebenza ngememori kunye nezikhombisi. Ukwenza izinto zibe mbi ngakumbi, iipatches ezininzi ezinokuthi zibe sesichengeni azibonelelwanga ngesichongi se-CVE, okanye zabelwa isichongi se-CVE emva kokupapashwa kwepetshi. Kwimeko enjalo, kunzima kakhulu ukuba abavelisi bahlule izilungiso ezincinci kwimiba ebalulekileyo yokhuseleko. Ngokwezibalo, ngaphezulu kwe-40% yobuthathaka bulungiswa phambi kokuba i-CVE yabelwe, kwaye ngokomndilili wokulibaziseka phakathi kokukhutshwa kokulungiswa kunye nokunikezelwa kwe-CVE ziinyanga ezintathu (okt, ekuqaleni ukulungiswa kubonwa njengoku ibug eqhelekileyo, kodwa emva kweenyanga ezininzi kuyacaca ukuba ubuthathaka bulungisiwe).
Ngenxa yoko, ngaphandle kwesebe elahlukileyo elinokulungiswa kobuthathaka kwaye ngaphandle kokufumana ulwazi malunga noqhagamshelwano lokhuseleko lwengxaki ethile, abavelisi beemveliso ezisekelwe kwi-Linux kernel bashiywe ukuba baqhubeke behambisa zonke izilungiso ezivela kumasebe azinzileyo akutshanje. Kodwa lo msebenzi ufuna umsebenzi omninzi kwaye ujongene nokuchasana kwiinkampani ngenxa yokwesaba ukuvela kweenguqu eziguqukayo ezinokuphazamisa ukusebenza okuqhelekileyo kwemveliso.
Masikhumbule ukuba ngokukaLinus Torvalds, zonke iimpazamo zibalulekile kwaye ubuthathaka akufanele bohlulwe kwezinye iintlobo zeempazamo kwaye zabelwe udidi oluphezulu oluphambili. Olu luvo lucaciswa yinyaniso yokuba kumphuhlisi oqhelekileyo ongagxininisi kwimiba yokhuseleko, uxhulumaniso phakathi kokulungiswa kunye nokuba sesichengeni okunokwenzeka akubonakali (kulungiso oluninzi, kuphela uphicotho olwahlukileyo olwenza kube lula ukuqonda ukuba luchaphazela ukhuseleko. ). NgokukaLinus, iingcali zokhuseleko ezivela kumaqela anoxanduva lokugcina iipakethe zekernel kunikezelo lweLinux kufuneka zibandakanyeke ekuchongeni ubuthathaka obunokubakho ukusuka kumjelo oqhelekileyo weepatches.
U-Kees Cook ukholelwa ukuba ekuphela kwesisombululo sokugcina ukhuseleko lwe-kernel ngexabiso elifanelekileyo lexesha elide kukuba iinkampani zishukumise iinjineli ezibandakanyekayo ekulungiseni i-kernel yendawo yakha ibe yimbumba, inzame elungelelanisiweyo yokugcina izilungiso kunye nobuthathaka kwi-kernel engundoqo (phezulu. ). Kwimeko yalo yangoku, abaninzi abavelisi abasebenzisi iinguqulelo ze-kernel zamva nje kwiimveliso zabo kwaye babuyisele ukulungiswa kwendlu, i.e. Kuyavela ukuba iinjineli kwiinkampani ezahlukeneyo ziphinda umsebenzi womnye nomnye, zisombulula ingxaki efanayo.
Umzekelo, ukuba iinkampani ezili-10, nganye inenjineli enye ebuyisela izilungiso ezifanayo, zabela ezo njineli ukuba zilungise iziphene kumsinga ongentla, emva koko endaweni yokubuyisela umva ulungiso olunye, zinokulungisa i-bugs ezili-10 ezahlukeneyo ngenzuzo eqhelekileyo okanye bazibandakanye kuphononongo lwezindululo ezicetywayo. utshintsho kwaye uthintele ikhowudi ye-buggy ekubeni ibandakanywe kwi-kernel. Izixhobo zokusebenza zinokunikelwa ekudaleni izixhobo ezitsha zovavanyo kunye nokuhlalutya ikhowudi eya kuvumela ukubonwa kwangethuba kweendidi eziqhelekileyo zeempazamo eziphindaphindwayo.
U-Kees Cook ukwacebisa ngokusebenzayo ngakumbi ukusebenzisa uvavanyo oluzenzekelayo kunye ne-fuzzing ngokuthe ngqo kwinkqubo yophuhliso lwe-kernel, usebenzisa iinkqubo eziqhubekayo zokudibanisa kunye nokulahla ulawulo lophuhliso lwe-archaic nge-imeyile. Okwangoku, uvavanyo olusebenzayo luthintelwa yinto yokuba iinkqubo zokuvavanya eziphambili zihlulwe kuphuhliso kwaye zenzeke emva kokukhutshwa kokukhutshwa. Izitshixo zikwacetyiswa ukusebenzisa iilwimi ezibonelela ngenqanaba eliphezulu lokhuseleko, njengeRust, xa uphuhlisa ukunciphisa inani leempazamo.
umthombo: opennet.ru