Mind The Gap - The Linux Ecosystem Kernel Patch Gap
The Linux kernel underpins most of today’s technology ecosystem from IoT to cloud. Critical kernel patches are missing from many Linux applications.
In this presentation we outline the patching challenges arising from the Linux ecosystem’s fragmented nature:
We show that the process of assessing the patching status of a Linux kernel source code tree can be automated, significantly reducing the overhead of keeping Linux devices and distros secure. We also release and showcase tools that anybody can use to test the patch-completeness of kernel source trees and hope to enable better patch hygiene.
We finally discuss overcoming some interesting engineering challenges encountered during the automation, such as handling millions of git commits within minutes. The results can be useful for independent evaluation of the patching process.
Jakob Lell is a security researcher at SRLabs in Berlin. His main interests are Linux/Android security, embedded devices, cryptography, and blockchain security.
Regina Bíró is a security expert with a focus on Android security at SRLabs in Berlin. Her main interests include Android and blockchain security.