The working dead: The security risks of outdated Linux kernels
Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?
Source: Nikolai Hampton
Linux is king
Without doubt, Linux-based operating systems are incredibly popular: Three-quarters of IoT devices run Linux; two-thirds of online servers; and 70 per cent of tablets are Android (modified Linux kernel) based — Linux is everywhere!
This is partly because Linux is open source and freely available, which makes it attractive to developers who pay no licensing fees. Linux is frequently included software development kits (SDKs) by electronic-chip manufacturers. This provides developers with a reference platform to work from, and demonstrates hardware capabilities.
With a reference development platform, manufacturers can simply pick up the operating system and SDK, compile their own applications and be ready to ship new product. Unfortunately, these ready-to-go examples and operating systems are often quite old and often no longer supported.
But, why are older kernels such a problem? Who cares if your IoT toaster, or your car’s entertainment system isn’t cutting edge — right?
In a research paper from 2015, we found that three quarters of home and small-office Internet routers were running firmware with obsolete Linux kernels. Most of these were un-patched against many vulnerabilities — that is, they were susceptible to exploitation.
So, let’s take a dive in to the basics of the Linux kernel, why it’s important, and what it does. We’ll have a look at what happens when your kernel is no longer supported, and why ageing kernels can be a serious problem for device and network security.
Kernels, kernels everywhere!
It’s easy to forget that fully fledged operating systems are not confined to your desktop computers and servers; operating systems are everywhere. Most of us take for granted that our car’s satellite navigation system just works, our Internet connected fridge can email us, and inflight entertainment systems don’t crash while we’re watching Keeping Up with the Kardashians.
Even though your router only has a web interface and a few blinken-lights, and your IoT children’s toy sings lullabies (while spying on your kids), they have many things in common. They all run an operating system, there’s a good chance those operating systems are Linux based. Nearly all of these devices can run other software applications that can do just about anything.
The heart of your operating system
At the heart of your device’s operating system is the kernel. It’s the gatekeeper that controls everything. It manages hardware, user permissions, privileges, memory, software and interfaces. It’s the core of your operating system, and it’s critical that it’s secure.
The kernel is there to make things easy. It makes interactions between components more abstract, which means software developers don’t need to know about the inner workings of hardware or RAM to be able to create software that writes to a file, for example.
Say I’m a programmer and I want to save a text file, in just about every programming language the process is similar:
Open “cheesecake recipe.txt” for writing
Take cheesecake recipe from memory and shove it into the file
Close “cheesecake recipe.txt”
What happens behind the scenes is actually very complicated. If you think about the actual instructions the CPU is executing and all of the device interactions it’s insanely, ridiculously, stupidly complicated. There are entire textbooks devoted to kernel drivers and university courses that take entire semesters to superficially explain operating systems.
In our example, the process of writing a file involves kernel parts and drivers that manage memory allocation, file-system structures, hard disk drivers, character drivers, block drivers, chipset drivers, (the list goes on). The kernel manages all of these interactions so that programmers can conveniently open a file and save their cheesecake recipes.
If any of these kernel components is faulty, it could provide a foothold for hackers to breach your system. For example, if a file-system driver can’t handle extremely long filenames, hackers could potentially use that vulnerability to exploit the system.
Many security factors come in to play, when a part inside the kernel has a bug. Suddenly, your entire operating system and device could be vulnerable to exploitation because of a seemingly insignificant problem.
Kernel versions and fixing bugs
There’s no ‘one’ Linux kernel; the kernel is just a piece of software and like any other software application it has many versions. In fact, there are dozens of official Linux kernel versions and bazillions of unofficial ones. Being open source also means that any device engineer, programmer, or amateur hack can download it, fiddle with it and build their own custom version.
If you check the list you’ll see the Linux kernel has a numbering scheme just like most other software. It has a kernel version, major version, minor version, and a patch version. It can also have other letters and numbers that are often used to identify beta or release candidates and custom-built kernels.
To build a Linux kernel, the process is not particularly difficult. A determined amateur could (software gods permitting) compile a Linux kernel from source after a few hours of reading instructions, a little swearing and a lot of coffee.
Unfortunately, it’s this easy access that opens the door to vulnerabilities and configuration problems.