Practical Technology

for practical people.

A Linux security story

There’s no such thing as perfect security. There are no programs that give you absolute software security. After all, security is a process, not a product. Linux’s security process, though, is outstanding, which is one reason why it has great security. Here’s an example.

On July 16th, a security programmer named Brad Spengler, who designs an open-source network and server security program called grsecurity revealed on the full disclosures security mailing list that there was a security hole in the 2.6.30 Linux kernel.

The short version of this vulnerability, according to the SANS Internet Storm Center goes like this: “The vulnerable code is located in the net/tun implementation. Basically, what happens here is that the developer initialized a variable to a certain value that can be NULL. The developer correctly checked the value of this new variable couple of lines later and, if it is 0 (NULL), he just returns back an error. ”

More >