Google funds two Linux kernel developers to focus on security
Google and the Linux Foundation are prioritizing funds to underwrite two full-time maintainers for Linux kernel security development.
Gustavo Silva and Nathan Chancellor will focus on maintaining and improving kernel security and associated initiatives in order to ensure the world's most pervasive open source software project is sustainable for decades to come.
A recently published open source contributor survey from the Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) has identified a need for additional work on security in open source software. While there are thousands involved in developing the Linux kernel this contribution from Google to underwrite two full-time Linux security maintainers signals the importance of security in the sustainability of open source software.
"At Google, security is always top of mind and we understand the critical role it plays to the sustainability of open source software," says Dan Lorenc, staff software engineer at Google. "We're honored to support the efforts of both Gustavo Silva and Nathan Chancellor as they work to enhance the security of the Linux kernel."
Chancellor's work will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing continuous integration systems to support this work in future. Once those aims are well-established, he plans to begin adding features and polish to the kernel using these compiler technologies. He has been working on the Linux kernel for four and a half years.
Silva's full-time Linux security work is currently dedicated to eliminating several classes of buffer overflows by transforming all instances of zero-length and one-element arrays into flexible-array members. Additionally, he is actively focusing on fixing bugs before they hit the mainline, while also proactively developing defense mechanisms that cut off whole classes of vulnerabilities.
"We are working towards building a high-quality kernel that is reliable, robust and more resistant to attack every time," says Silva. "Through these efforts, we hope people, maintainers in particular, will recognize the importance of adopting changes that will make their code less prone to common errors."
Funding Linux kernel security and development is a collaborative effort, supported by many organizations that depend on the Linux operating system. To support work like this, discussions are taking place in the Securing Critical Projects Working Group of the OpenSSF.