A vulnerability search center in Nginx, Python, ClickHouse and other popular applications has appeared in Russia

2023: Russia has a vulnerability search center in Nginx, Python, ClickHouse and other popular applications

Created in 2022 by order of the FSTEC of Russia, the Technological Center for the Study of Linux Kernel Security is expanding its powers. It is being transformed into the Center for Security Research of System Software (TsIB SPO), that is, it will deal not only with bug fixes in the Linux kernel, on which most domestic operating systems are based, but will also search for and fix vulnerabilities in the most popular libraries that are used both for developing new software and for transferring Windows applications to domestic platforms.

This was announced at the ISP RAS conference, which was held in early December.

In agreement with the FSTEC of Russia and the leadership of the Russian Academy of Sciences, the Linux Kernel Security Research Technological Center has been transformed into the System Software Security Research Center, since a number of open source components are added to the number of projects being investigated within the center, in addition to the Linux kernel, popular among domestic developers, "Alexey Khoroshilov, head of the Linux Kernel Security Research Technology Center, told TAdviser about the changes being made. - At the first stage, these will be: OpenSSL, Nginx, Qemu along with libvirt, Podman, Python3, NodeJS, .NET6 Runtime in conjunction with ASP.NET Core, Redis, ClickHouse. This list is not final and will expand in accordance with the needs of domestic developers of information protection tools.

It can be seen that ON the most popular libraries for network interaction (OpenSSL and Nginx), cloud infrastructure management (Qemu, libvirt and Podman), cross-platform languages ​ ​ and technologies that can be used for import substitution of Windows applications (Python3, NodeJS, Runtime.NET6, ASP.NET Core), and popular data processing applications (Redis and ClickHouse) are added to the list of the studied ones. These technologies actually form the mainstream for the import substitution procedure: virtualization of Windows applications, their transfer to the cloud environment and gradual porting to domestic operating systems through the use of cross-platform development tools. By eliminating vulnerabilities in these technologies, employees of the TsIB SPO will help ensure the security of the entire process of import substitution of software.

Simplified diagram of Linux operating system technologies

However, employees of the new center will continue to work on improving the security of the Linux kernel. Now the center's specialists, together with a consortium of domestic software developers, have already fixed 247 vulnerabilities in the main branch of the Linux kernel. Moreover, vulnerabilities were eliminated not only in the domestic repository, but also in the main kernel code distributed around the world. If previously the security of the Linux 5.10 kernel was mainly supported, now work is underway on the version of the new Linux 6.1 kernel - the repositories of the tested code of both cores are located on the servers of the Central Security Service of Open Source, and the center's specialists keep them up to date. It is assumed that it is on the basis of these repositories that domestic developers will build their operating systems.

2021

Creation of the Russian branch of the Linux kernel, analysis of millions of lines of code and other grandiose plans of the new technical center at FSTEC

On October 14, 2021, representatives of FSTEC, the scientific community and the IT market for the first time spoke in detail about how the Linux Kernel Security Research Technology Center looks conceptually and how it will work, as well as the prerequisites for its foundation. Plans to create it became known at the beginning of the year. According to the deputy head of FSTEC Vitaly Lyutikov, the center has not yet formally appeared, while issues related to this are still being worked out. Together with the ISP RAS, with which FSTEC previously signed a contract for the creation of the center, and with the IT community, formats of interaction and organizational issues are discussed.

A huge number of vulnerabilities are detected in open source

The prerequisites for creating a kernel security research center Linux are due to the fact that, firstly, the OS is one of the key elements in the system and one of the grounds for trust in system security. Without solving the OS security problem, it will not be possible to solve the issues of protection in general and ensuring security, says Lyutikov. And the second is the number of developers of distributions and software and hardware, which are based on the Linux kernel, is very significant, and the interest in increasing the level of security of this component ON is also significant.

Nuclear security research is one of the most important problematic issues, said a representative of FSTEC. Organizations that use the kernel have adapted and organized work in their own improvements, changes in security policies, etc. But in terms of the code of the kernel itself, there is a drawback in the resource support of security research. There is not enough tools, testing tools, and specialists, Lyutikov explained. As a result, the share of kernel research in security research in the development of domestic Linux distributions is still insignificant.

This situation needs to be changed. You know that the detected number of vulnerabilities in open source is huge, - said Vitaly Lyutikov.

Vitaly Lyutikov spoke about the tasks of the Linux Kernel Security Research Technology Center

Another problem is the dependence of Russian developers on third-party kernel developers, on eliminating vulnerabilities in it.

We have many cases when the developer of the distribution kit, when receiving information that there is a vulnerability in the kernel or libraries, execution environments, waits for an update to appear in the corresponding branch or a new version will be released, without having its own qualifications for correction, - said the deputy head of FSTEC. - We are dependent on the work that is carried out not with us and not with us in terms of fixing problems.

Based on the proposals of the domestic IT community and the experience of foreign colleagues, it was decided to carry out work that would allow at least part of these problems to be solved, says Lyutikov. As part of the Digital Economy national program, from March 2021, the issue of creating a technological center for the study of the Linux kernel is being worked out.

Expected Center Results

According to Lyutikov, the tasks of the center will be to increase the security of domestic OS distributions based on Linux and everything that is created on them from threats, as well as ensure the technological independence of Russian distribution and hardware companies from external players.

Alexey Khoroshilov, head of the Linux Kernel Security Research Technology Center, said that the center will contribute to the systematic application of the best practices for developing secure software. To do this, it is planned to carry out statistical analysis of the source code of the kernel, architectural analysis, full-system dynamic analysis of marked data, fuzzing testing of the kernel, as well as system and unit testing.

It is proposed to analyze the kernel in parts, says Khoroshilov: "This is 22 million lines of code (in the latest version of the Linux kernel - 5.13 - there are more than 29.2 million lines of code - approx. TAdviser), which includes completely different components, starting from cryptography and network protocols - this is a whole universe in which to understand and understand."

Among the expected effects of the center's work is the formation of competence and infrastructure for preparing the domestic branch of the Linux kernel and maintaining the kernel branch that has passed the required research.

It is also planned to develop patches to eliminate vulnerabilities and bugs and develop new features aimed at improving security, preparing methods and recommendations for implementing measures for secure development of the Linux kernel.

Andrey Dukhvalov, head of the advanced technologies department at Kaspersky Lab, noted that you can patch the Linux kernel as much as you like, and there are still vulnerabilities in it. The way we work with vulnerabilities that we have now needs to continue, but everyone understands that this is not a panacea. This topic is close to Kaspersky Lab, it is called Secure by Design (software design from the very beginning as secure). According to Dukhvalov, the company would like to support this direction of work in the technology center - so that the kernel closes entire classes of vulnerabilities using architectural methods.

The results of the center can be used by software and hardware companies in their activities. And, moreover, it is planned to actively participate in the work of the technology center of IT companies and their specialists. The more involved they are, the more effectively everything will work.

We are moving towards creating a community around solving a common problem - the security of the operating system kernel, - said Lyutikov.

Alexander Oruzheynikov, deputy head of the Astra Linux GC development department, says that their company, for example, is interested in developing tools for researching and analyzing kernel code, which is closely intertwined with development. Astra Linux is also ready to support groups of enthusiasts who will improve the protection of the kernel itself.

Vitaly Lyutikov notes that it is planned to use the results of the center for security research of OS created on the basis of the Linux kernel, and when certifying various OS distributions. This should slightly unload the FSTEC certification resources when assessing the security of distributions.

Domestic branch of the Linux kernel

On the basis of the center, it is planned to create a domestic branch of the Linux kernel that would synchronize with the global one. It is planned to support it on the same principles on which the common core is supported by the community, said Alexey Khoroshilov. Ideally, it should not differ in any way from the stable main branch of the kernel, but should be accompanied by artifacts of analysis. The version with which it is previously planned to start supporting its own branch is Linux-stable-5.10.

Vitaly Lyutikov, however, explained that creating your own Linux kernel is a task for the future. It is unlikely that you will be able to quickly create your own branch. At the first stage, the main effects of the center's work should still be increased security, which consists in providing the developer community with tools, methods, tools, test results and research.

Also, the representative of FSTEC noted that we are not talking at all about creating some new Linux distribution.

It seems to me that those who have already followed this path, they either still go - this is at best, and at worst - are in other places. Therefore, I would not set the task of creating a distribution kit. If in the course of our activities, research, something will work out for us, this is another question... Lutikov says. - In addition, FSTEC deals with security issues. There is the Ministry of Digital Development, they will create everything you need: distributions and what is connected with this.

Keeping up with the world community

Ensuring the technological independence of Russian developer companies from external players, which is set as one of the tasks of the center's work, does not mean that interaction with the international community should be stopped, Vitaly Lyutikov emphasized. On the contrary, working with it to solve kernel security problems is very important.

But we must have our own capabilities and competencies to resolve security and support issues on our own, - said the representative of FSTEC.

Roman Simakov, director of the system product development department at Red Software, believes that by combining the efforts of Russian developers, it would be possible to become a prominent player in global Linux indemnity and promote your own ideas in the development of the global kernel. Simakov suggested that perhaps one of the participants in the Linux Kernel Security Research Technology Center will grow even to the main contributor, the "Torvalds deputy ," who will be responsible for some parts. However, the representative of Red Soft added that these are dreams.

At the same time, Roman Simakov believes, since the domestic "hardware" is not available to the entire world community, and also since, in principle, not all Russian patches can be interesting at the global level, it becomes meaningless to deal only with the mainstream and you still have to develop your own kernel branch.

ISP RAS is looking for a hardware supplier to build the infrastructure of the Linux security research center

On September 7, 2021, it became known that Institute of System Programming named after V.P. Ivannikov of the Russian Academy of Sciences (ISP RAS) he was ready to spend almost 38 million rubles. on hardware for building the infrastructure of the Technological Center for Security Research, the Russian OS created on the basis. kernels Linux

This amount was put up as the initial maximum price of the contract in the thematic tender of the ISP RAS, which was announced on August 30, 2021 in the format of an electronic auction, which can only be attended by small and medium-sized businesses. Applications from applicants will be accepted until September 15, summing up the results is scheduled for September 21. The winner will have to deliver all the required goods within 80 days from the date of conclusion of the contract.

This center of the ISP RAS creates under a contract with the Federal Service for Technical and Export Control (FSTEC) for 300 million rubles. It was signed on March 20, 2021 following the results of the FSTEC competition without reducing the starting price. The institute unsuccessfully tried to compete with the company "RusBITech-Astra," which is developing the line of Russian OS Astra Linux.

The term of this contract is December 25, 2023. The obligations of the ISP RAS under it include the development of design (technical) documentation and the creation of a software and hardware complex of the center.

The planned servers of several types will be built exclusively on foreign processors. The set parameters of chips (number of cores, clock frequency, etc.) in Russian products have not yet been implemented.

Thus, in accordance with the tender documentation, ISP RAS requires four types of servers. The first of them should be based on two processors, with a total number of 128 cores, with a clock speed of 2 GHz, the type of DDR4 ECC memory supported. The total amount of server RAM is 2048 GB. It must have 24 1.92 TB disk drives each. The customer needs five such servers.

Two servers of the second type should be built on two processors, with a total number of 64 cores, with a clock speed of at least 2.6 GHz, the type of DDR4 ECC memory supported. The total amount of server RAM is 512 GB. It must be equipped with 4 12 TB disk drives each.

One server of the third type should be based on one 16-core processor with a clock speed of at least 2.1 GHz and the type of DDR4 ECC memory supported. The total amount of server RAM is 128 GB. It must be equipped with 24 12 TB disk drives each.

Finally, another server of the fourth type should be built on two processors, with a total of 32 cores, with a clock speed of at least 2.3 GHz, the type of DDR4 ECC memory supported. The total amount of server RAM is 256 GB. It must be equipped with 24 disk drives of 3000 GB each.

In addition to servers, the customer also needs one server cabinet, two uninterruptible power supplies and two [network switch 'switches]] of different^[1].

Contract with the ISP RAS for the creation of a center for security research of OS based on the Linux kernel

In early April 2021, it became known about the plans of the Federal Service for Technical and Export Control (FSTEC) to create a center for security studies of operating systems based on the Linux kernel . The corresponding contract in the amount of 300 million rubles was concluded with the Institute of System Programming named after V.P. Ivannikova of the Russian Academy of Sciences.

According to the terms of reference, the center's specialists will work to improve the quality and security of the Linux kernel, thanks to which it is planned to accordingly improve the domestic operating systems created on its basis. This will help reduce "the possible socio-economic consequences of the implementation of computer attacks on the critical information infrastructure of the Russian Federation," the FSTEC hopes.

FSTEC forms a Linux security research center for 300 million rubles

It is also noted that the new technological center will improve domestic development tools and testing, ON improve the qualifications of specialists and develop regulatory and methodological support for secure development processes in the Russian Federation.

Funds for the implementation of the draft federal budget within the framework of the federal project "Information Security" of the national program "Digital Economy of the Russian Federation." The technology center is planned to be put into trial operation in 2022, and by the end of 2023 it should be fully launched. By this time, the FSTEC information security threat data bank should be filled with information about vulnerabilities in operating systems based on the Linux kernel.

By 2021, the requirements for the organizational, methodological and scientific-methodological foundations of the functioning of the technological center for the study of the security of operating systems created on the basis of the Linux kernel should be developed and experimentally substantiated.^[2]

Notes