Linux Security News Archives


276 Linux Security open-source and Linux related news articles on Phoronix since 2006.

GhostRace Detailed - Speculative Race Conditions Affecting All Major CPUs / ISAs
GhostRace Detailed - Speculative Race Conditions Affecting All Major CPUs / ISAs

VUSec and IBM Research Europe today announced Speculative Race Conditions (SRCs) as a as a new class of vulnerabilities where thread synchronization primitives using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-V1 attack. The researchers have dubbed CVE-2024-2193 as GhostRace and is said to affect all major CPU vendors.

12 March 2024 - GhostRace - Speculative Race Conditions - 43 Comments
Linux 6.9 Making It Easier Managing Security Mitigation Options
Linux 6.9 Making It Easier Managing Security Mitigation Options

The x86/core changes were submitted today for the now-open Linux 6.9 merge window. Among other changes, the x86 CPU security mitigation options within the Linux kernel Kconfig have been adjusted where appropriate to make more clear the options/features are for security mitigations.

11 March 2024 - CONFIG_MITIGATION_ - 1 Comment
"SandBox Mode" Proposed For The Linux Kernel To Improve Memory Safety
"SandBox Mode" Proposed For The Linux Kernel To Improve Memory Safety

While there is already the work underway on allowing the Rust programming language within the Linux kernel in part to leverage its memory safety potential, a proposal was sent out this morning for a new "SandBox Mode" for the Linux kernel to also increase the memory safety of C code within the kernel.

14 February 2024 - Linux SandBox Mode - 18 Comments
New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant
New WiFi Authentication Vulnerabilities For Linux's IWD & WPA_Supplicant

Kicking off what may end up being a fairly busy Patch Tuesday are two WiFi authentication vulnerabilities being made public that affect Intel's IWD daemon as well as the WPA_Supplicant software -- between the two they are the most common solutions for wireless daemons on Linux systems.

13 February 2024 - Linux WiFI Authentication Vulnerabilitie - 14 Comments
SELinux In Linux 6.6 Removes References To Its Origins At The US NSA
SELinux In Linux 6.6 Removes References To Its Origins At The US NSA

Security Enhanced Linux (SELinux) has been part of the mainline kernel for two decades to provide a security module implementing access control security policies and is now widely-used for enhancing the security of production Linux servers and other systems. Those that haven't been involved with Linux for a long time may be unaware that SELinux originates from the US National Security Agency (NSA). But now with Linux 6.6 the NSA references are being removed.

29 August 2023 - National Security Agency - 53 Comments
Oracle Updates TrenchBoot Secure Dynamic Launch Support For Linux
Oracle Updates TrenchBoot Secure Dynamic Launch Support For Linux

In development for several years now has been TrenchBoot as a framework for creating security engines to perform system launch integrity actions. This boot-time integrity framework continues advancing and this past week Oracle engineers posted their latest patches for the Linux kernel in providing dynamic launch support.

8 May 2023 - TrenchBoot For Linux - Add A Comment
Linux Will Stop Randomizing Per-CPU Entry Area When KASLR Is Not Active
Linux Will Stop Randomizing Per-CPU Entry Area When KASLR Is Not Active

With the Linux 6.2 release kernel developers addressed "a tasty target for attackers" after it was realized that the per-CPU entry data was not being randomized, even in the presence of Kernel Address Space Layout Randomization (KASLR). The per-CPU entry area randomization has been present since Linux 6.3 but then was realized it's being activated even if KASLR was disabled, so now that is changing to avoid possible confusion.

26 March 2023 - Avoids Randomizing When KASLR Off - 2 Comments
Linux Landing Change To Allow STIBP When Using Legacy IBRS
Linux Landing Change To Allow STIBP When Using Legacy IBRS

Ahead of the Linux 6.3-rc1 release later today, a set of "x86/urgent" patches were sent out Sunday morning that include the change to allow Single Threaded Indirect Branch Predictors (STIBP) to be used in the presence of legacy Indirect Branch Restricted Speculation (IBRS) for security reasons.

5 March 2023 - STIBP + Legacy IBRS - 2 Comments
Linux Inadvertently Has Been Leaving IBRS-Mitigated Systems Without STIBP
Linux Inadvertently Has Been Leaving IBRS-Mitigated Systems Without STIBP

The Linux kernel since last year has mistakenly left systems relying on the original Indirect Branch Restricted Speculation (IBRS) for Spectre V2 mitigation without Single Threaded Indirect Branch Predictor (STIBP) coverage for cross-HyperThread dealing with this Spectre vulnerability. There is a patch underway that is resolving this issue for Intel Skylake era systems.

27 February 2023 - Linux Needs IBRS + STIBP - 4 Comments
Open Source Security Foundation's Criticality Score 2.0 Debuts To Rank Important OSS Projects
Open Source Security Foundation's Criticality Score 2.0 Debuts To Rank Important OSS Projects

Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.

24 February 2023 - OpenSSF Criticality Score 2.0 - 10 Comments
Landlock Security Module Adds File Truncation Support With Linux 6.2

Merged back in Linux 5.13 last year was Landlock for allowing unprivileged application sandboxing. Landlock allows restricting ambient rights for a set of processes and is implemented as a stackable Linux security module (LSM) for establishing safe security sandboxes. With Linux 6.2 file truncation support is added for Landlock.

18 December 2022 - Landlock - 9 Comments
Intel Preparing Virtual IA32_SPEC_CTRL Support For The Linux Kernel
Intel Preparing Virtual IA32_SPEC_CTRL Support For The Linux Kernel

Intel on Sunday posted a set of Linux patches implementing SPEC CTRL virtualization support for this VMX feature with new Intel CPUs to help with migrating virtual machines to hosts with different CPU microarchitectures where their security mitigations may be different.

11 December 2022 - Virtual IA32_SPEC_CTRL - 4 Comments
Linux Moving Ahead With Enabling Kernel IBT By Default
Linux Moving Ahead With Enabling Kernel IBT By Default

As an enhancement to the out-of-the-box Linux kernel in its default x86_64 configuration, it was being eyed to enable Indirect Branch Tracking by default. That change to enable IBT by default has been picked up by TIP's x86/core branch, thus putting it on deck as material for submitting with next month's Linux 6.2 merge window.

5 November 2022 - Indirect Branch Tracking - Add A Comment
Linux Still Eyes Better Security By Default Enabling Indirect Branch Tracking (IBT)
Linux Still Eyes Better Security By Default Enabling Indirect Branch Tracking (IBT)

Indirect Branch Tracking (IBT) is still being eyed for enabling as part of the default Linux x86_64 kernel configurations to provide better out-of-the-box security on supported processors. A patch sent out today continues the upstream discussion over flipping on this feature by default that is part of Intel's Control-flow Enforcement Technology (CET) for helping to defend against jump/call oriented programming attacks.

1 November 2022 - X86_KERNEL_IBT - Add A Comment
OpenSSL Outlines Two High Severity Vulnerabilities
OpenSSL Outlines Two High Severity Vulnerabilities

Two high severity security vulnerabilities affecting OpenSSL were made public today, which were the issues that led to Fedora 37 being delayed to mid-November to allow the release images have mitigated OpenSSL packages.

1 November 2022 - OpenSSL Vulnerabilities - 17 Comments
Call Depth Tracking Aligning For Linux 6.2 To Lessen Mitigation Performance Hit For Intel Skylake
Call Depth Tracking Aligning For Linux 6.2 To Lessen Mitigation Performance Hit For Intel Skylake

While the Linux 6.1 merge window just passed and the "Call Depth Tracking" patches have been in development the past few months, it looks like that for the Linux 6.2 kernel is where that alternative mitigation technique will be introduced for helping offset some of the significant performance regressions incurred for Intel Skylake era processors as a result of recent CPU security vulnerability mitigations.

19 October 2022 - Call Depth Tracking - 3 Comments
Git 2.38.1 Released For Two New Security Vulnerabilities

Git 2.38.1 was just released along with updates to older versions, including the new point releases of v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4. The big set of Git updates today is due to two more security issues coming to light.

18 October 2022 - Git 2.38.1 - 3 Comments
Linux 6.1 Feature Would Have Caught All memcpy Based Buffer Overflows Of Recent Years
Linux 6.1 Feature Would Have Caught All memcpy Based Buffer Overflows Of Recent Years

A kernel hardening security improvement on the way for Linux 6.1 is the ability to provide warning of possible memcpy() based overflows. Right now this is only a warning but it's work towards being able to address "trivially detectable" buffer overflow conditions within the kernel and in the future may be able to block such overflows from happening.

3 October 2022 - Hardening The Kernel - 19 Comments
Linux getrandom() vDSO Patch Updated For ~15x Speedup

Over the summer Jason Donenfeld of WireGuard fame proposed adding getrandom() to the vDSO for better performance to enjoy by user-space developers. This past week he sent out the latest version of this proposed kernel patch where he's seeing around a ~15x speed-up with this change.

18 September 2022 - Faster getrandom() - 11 Comments
Google Engineers Argue For Linux "ASI" To Better Deal With Speculative Execution Attacks
Google Engineers Argue For Linux "ASI" To Better Deal With Speculative Execution Attacks

Proposed a few years ago was Kernel Address Space Isolation (KASI / ASI) for limiting data leaks with the growing number of speculative execution attacks on CPUs. Several organizations have been involved with Address Space Isolation efforts for the Linux kernel including IBM, Oracle, and Google with various approaches. Google engineers earlier this year posted a newer iteration of ASI focused on KVM use for the cloud / VMs. ASI still hasn't made it to the mainline kernel but Google engineers this week at LPC argued that it should be the path forward for mainline in better dealing with these CPU security vulnerabilities.

17 September 2022 - Address Space Isolation - 33 Comments
Call Depth Tracking For Less Costly Retbleed Mitigation Hopes To Land Soon
Call Depth Tracking For Less Costly Retbleed Mitigation Hopes To Land Soon

Longtime Linux kernel engineer Peter Zijlstra with Intel has sent out his latest "Call Depth Tracking" patches as a mitigation for Retbleed that aims to be less costly on system performance than the current mitigation approach. With this latest patch series, he indicates he hopes to soon get this code mainlined.

17 September 2022 - Call Depth Tracking - 7 Comments
Call Depth Tracking Mitigation Updated For Linux In Better Mitigating Retbleed
Call Depth Tracking Mitigation Updated For Linux In Better Mitigating Retbleed

Back in July Intel's Peter Zijlstra proposed "Call Depth Tracking" as a mitigation approach for handling Retbleed and avoiding the "performance horror show" of Indirect Branch Restricted Speculation (IBRS) usage. Out today is the newest version of the Call Depth Tracking code and the performance benchmark results are looking very promising for lessening the pain of the Retbleed CPU mitigation performance impact.

2 September 2022 - Call Depth Tracking Mitigation - 10 Comments
Linux x86 32-bit Is Vulnerable To Retbleed But Don't Expect It To Get Fixed
Linux x86 32-bit Is Vulnerable To Retbleed But Don't Expect It To Get Fixed

While relevant Intel and AMD processors have been mitigated for the recent Retbleed security vulnerability affecting older generations of processors, those mitigations currently just work for x86_64 kernels and will not work if running an x86 (32-bit) kernel on affected hardware. But it's unlikely to get fixed unless some passionate individual steps up as the upstream developers and vendors have long since moved on to just caring about x86_64.

24 July 2022 - Linux x86 + Retbleed - 24 Comments
Linux Lands Fix For A Trivial Lockdown Bypass Bug
Linux Lands Fix For A Trivial Lockdown Bypass Bug

Merged this afternoon to the mainline Linux 5.19 Git kernel and set for back-porting is a fix for a new security bug. Oracle made public CVE-2022-21505 on Tuesday as a trivial bypass to the Linux kernel's lockdown mode.

20 July 2022 - CVE-2022-21505 - 7 Comments
Linux To Drop "nordrand" Option - Users Should Instead Switch To "random.trust_cpu"
Linux To Drop "nordrand" Option - Users Should Instead Switch To "random.trust_cpu"

The Linux kernel has long honored the "nordrand" kernel parameter to disable kernel use of the Intel RDRAND and RDSEED instructions if not trusting them -- either out of security concerns that they could be compromised by the vendor or running into hardware/firmware issues around RdRand usage. But the Linux kernel is preparing to drop that kernel parameter with users encouraged to use the more generic "random.trust_cpu" parameter.

10 July 2022 - RdRand Bull Mountain - 6 Comments

276 Linux Security news articles published on Phoronix.