upvote

points

by Tiberium15 hours ago |
comments
upvoteby tetha5 hours ago|
next
[-]
Out of this dataset of 2-3 vulnerabilities, I'm noticing a pattern: All of those are in older and/or niche kernel modules. That raises two thoughts:

Maybe the more regularly used kernel code has a lot of low-hanging security topics shaken out of it already.

And second, I'm indeed wondering what a good path to minimize the loadable kernel code is on a system looks like. My container hosts for example have a fairly well defined set of requirements, and IPSec certainly is not in there. So why not block everything solely made to support IPSec? I'm sure there is more than that.

After all, the most reliable way to higher security is to do less things.

reply
upvoteby spartanatreyu8 hours ago|
prev|
next
[-]
LLMs don't matter, linux's codebase has been growing much faster than it can be secured so this is all inevitable.

Transitioning components to rust eliminates certain categories of bugs leaving the rest of the bugs to be dealt with.

We'd likely end up needing another language with stronger type and effect systems to eliminate more categories of bugs. Probably something which enforces linear types, capabilities, units of measure types, and effects.

And you'd have to update linux itself to switch to capabilities.

reply
upvoteby 13 hours ago|
prev|
next
[-]
deleted
reply
upvoteby staticassertion15 hours ago|
prev|
[-]
New vulns are introduced to Linux every day. Fuzzers trigger every single day on Linux. No, nothing will improve here from AI.
reply
upvoteby alex_duf14 hours ago|
parent|
next
[-]
there's an argument to be made that new code will be inspected before being merged and therefore the classes of bugs an LLM is likely to find will not be merged until it's fixed.
reply
upvoteby Muromec14 hours ago|
parent|
prev|
[-]
There is a finite number of bugs and betters tools that find them mean there is less bugs in the code.
reply
upvoteby staticassertion14 hours ago|
parent|
[-]
We already find bugs constantly in Linux and they go unaddressed, no one even keeps up with syzkaller reports lol

AI is neat because it's higher signal but yeah no, we're not getting anywhere close to "safe linux", AI or not.

reply