U-Kees Cook, owayengumphathi wesistimu oyinhloko ye-kernel.org kanye nomholi weThimba Lokuvikela Ubuntu manje osesebenza kwa-Google ukuze avikele i-Android ne-ChromeOS, uzwakalise ukukhathazeka ngenqubo yamanje yokulungisa iziphazamisi emagatsheni azinzile e-kernel. Isonto ngalinye, ukulungiswa okungaba yikhulu kufakwe emagatsheni azinzile, futhi ngemuva kokuthi iwindi lokwamukela izinguquko ekukhululweni okulandelayo livaliwe, lisondela enkulungwaneni (abanakekeli babamba ukulungiswa kuze kube iwindi livalwa, futhi ngemuva kokwakhiwa kwe " -rc1β bashicilela lezo eziqoqiwe ngesikhathi esisodwa), okuyiziningi kakhulu futhi ezidinga umsebenzi omningi wemikhiqizo yokulungisa esekelwe ku-Linux kernel.
Ngokusho kukaKeys, inqubo yokusebenza ngamaphutha ku-kernel ayinakwa ngokufanele futhi i-kernel ayinakho okungenani onjiniyela abayi-100 abengeziwe bomsebenzi ohlanganisiwe kule ndawo. Abathuthukisi be-kernel abakhulu bavame ukulungisa iziphazamisi, kodwa asikho isiqinisekiso sokuthi lokhu kulungiswa kuzodluliselwa kokuhlukile kwe-kernel esetshenziswa izinkampani zangaphandle. Abasebenzisi bemikhiqizo ehlukahlukene esekelwe ku-Linux kernel futhi abanayo indlela yokulawula ukuthi yiziphi iziphazamisi ezilungisiwe nokuthi iyiphi i-kernel esetshenziswa kumadivayisi abo. Ekugcineni, abakhiqizi banesibopho sokuvikeleka kwemikhiqizo yabo, kodwa ngomfutho ophakeme kakhulu wokulungiswa kokushicilela emagatsheni azinzile, bebebhekene nokukhetha - ukufaka zonke izinto ezilungisiwe, ukukhetha okubaluleke kakhulu, noma ukuziba konke ukulungisa. .
Isixazululo esilungile kungaba ukuthutha kuphela ukulungiswa okubaluleke kakhulu kanye nokuba sengozini, kodwa ukuhlukanisa amaphutha anjalo kusukela ekugelezeni okuvamile kuyinkinga enkulu. Inombolo enkulu yezinkinga ezivelayo ziwumphumela wokusebenzisa ulimi C, oludinga ukunakekelwa okukhulu lapho usebenza ngenkumbulo nezikhombi. Okwenza izinto zibe zimbi nakakhulu, amapeshi amaningi okuba sengozini awanikezwa isihlonzi se-CVE, noma anikezwa isihlonzi se-CVE isikhathi esithile ngemva kokushicilelwa kwepeshi. Esimweni esinjalo, kunzima kakhulu kubakhiqizi ukuhlukanisa ukulungisa okuncane ezindabeni ezibalulekile zokuphepha. Ngokwezibalo, ngaphezu kwama-40% okuba sengcupheni kuyalungiswa ngaphambi kokuthi kunikezwe i-CVE, futhi ngokwesilinganiso ukubambezeleka phakathi kokukhishwa kokulungiswa kanye nokwabiwa kwe-CVE kuyizinyanga ezintathu (okungukuthi, ekuqaleni ukulungiswa kuthathwa ngokuthi isiphazamisi esivamile, kodwa kuphela ngemva kwezinyanga ezimbalwa kuba sobala ukuthi ubungozi bulungisiwe).
Ngenxa yalokho, ngaphandle kwegatsha elihlukile elinokulungiswa kobungozi futhi ngaphandle kokuthola ulwazi mayelana nokuxhumeka kokuvikeleka kwenkinga ethile, abakhiqizi bemikhiqizo esekelwe ku-Linux kernel bayekwa ukuthi badlulise ngokuqhubekayo konke ukulungisa kusuka emagatsheni akamuva azinzile. Kodwa lo msebenzi udinga umsebenzi omningi futhi ubhekana nokuphikiswa ezinkampanini ngenxa yokwesaba ukuvela kwezinguquko ezihlehlayo ezingase ziphazamise ukusebenza okuvamile komkhiqizo.
Masikhumbule ukuthi ngokusho kuka-Linus Torvalds, wonke amaphutha abalulekile futhi ubungozi akumele buhlukaniswe kwezinye izinhlobo zamaphutha futhi bubelwe esigabeni esihlukile esibalulekile. Lo mbono uchazwa iqiniso lokuthi kumthuthukisi ojwayelekile ongagxili ezindabeni zokuphepha, ukuxhumana phakathi kokulungiswa nokuba sengozini okungaba khona akubonakali (ekulungisweni okuningi, ukuhlolwa okuhlukile kuphela okwenza kube nokwenzeka ukuqonda ukuthi kuthinta ukuphepha. ). NgokukaLinus, ochwepheshe bezokuphepha abavela emaqenjini anesibopho sokugcina amaphakheji e-kernel ekusatshalalisweni kwe-Linux kufanele babambe iqhaza ekuhlonzeni ubungozi obungaba khona kusukela ekusakazeni okuvamile kwamapeshi.
U-Kees Cook ukholelwa ukuthi okuwukuphela kwesixazululo sokugcina ukuphepha kwe-kernel ngezindleko zesikhathi eside ezizwakalayo ukuthi izinkampani zihambise onjiniyela ababambe iqhaza ekulungiseni ukuthuthwa kwempahla ku-kernel yendawo yakhela kube umzamo ohlangene, ohlangene wokugcina ukulungiswa kanye nokuba sengozini ku-kernel eyinhloko (enhla nomfula. ). Ngendlela yayo yamanje, abakhiqizi abaningi abasebenzisi izinguqulo zakamuva ze-kernel emikhiqizweni yabo futhi babuyisela ukulungiswa kwangaphakathi, i.e. Kuvele ukuthi onjiniyela ezinkampanini ezahlukene baphindaphinda umsebenzi womunye, baxazulule inkinga efanayo.
Isibonelo, uma izinkampani ezingu-10, ngayinye enonjiniyela oyedwa osekela ukulungiswa okufanayo, zabela kabusha labo njiniyela ekulungiseni iziphazamisi enhla nomfula, khona-ke esikhundleni sokuhlehlisa ukulungiswa okukodwa, zingalungisa iziphazamisi eziyi-10 ezihlukene ukuze kuzuze okufanayo noma zihlanganyele ekubuyekezweni kokuhlongozwayo. izinguquko futhi ivimbele ikhodi ye-buggy kusukela ekufakweni ku-kernel. Izinsiza zingase futhi zinikezelwe ekudaleni amathuluzi amasha okuhlola nokuhlaziya ikhodi ezovumela ukutholwa kusenesikhathi kwezigaba ezivamile zamaphutha avela ngokuphindaphindiwe.
U-Kees Cook futhi uphakamisa ngokukhuthala okukhulu ukusebenzisa ukuhlola okuzenzakalelayo nokufiphalayo ngokuqondile enqubweni yokuthuthukisa i-kernel, kusetshenziswa amasistimu wokuhlanganisa aqhubekayo kanye nokushiya ukuphathwa kokuthuthukiswa kwe-archaic nge-imeyili. Njengamanje, ukuhlola okusebenzayo kuphazanyiswa ukuthi izinqubo zokuhlola eziyinhloko zihlukaniswa nokuthuthukiswa futhi zenzeka ngemva kokwakhiwa kokukhishwa. Okhiye baphinde batusa ukusebenzisa izilimi ezihlinzeka ngezinga eliphezulu lokuphepha, njenge-Rust, lapho kuthuthukiswa ukwehlisa inani lamaphutha.
Source: opennet.ru