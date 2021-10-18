The authorities invited IT market players to jointly search for vulnerabilities in the Linux operating system, on the basis of which domestic software is being created. The results of this work are ready to be counted when obtaining product safety certificates.
The authorities invited companies that make products based on the Linux operating system to participate in the work of the Technology Center for the study of the security of the kernel (main code) of this operating system, which is currently being created. This was announced by the deputy head of the Federal Service for Technical and Export Control (FSTEC) Vitaly Lyutikov at the OS DAY conference “Russian hardware platforms and operating systems”, which was held last week in Moscow, RBC correspondent reports.
FSTEC’s tasks include protecting state secrets, countering technical intelligence, ensuring the security of critical information infrastructure (communication networks and information systems of government agencies, energy, financial and other companies).
At the beginning of the year, FSTEC announced a tender for the creation of a Technology Center for researching the security of operating systems based on the Linux kernel. The winner was the Institute for System Programming. V.P. Ivannikov Russian Academy of Sciences (ISP RAS). In addition to research, this organization develops technologies and products for Samsung, Huawei, Intel, etc. ISP RAS also cooperates with the Linux Foundation, a non-profit consortium, and tests various products for compatibility with this OS.
According to Aleksey Khoroshilov, a leading researcher at ISP RAS, next year the center should be launched in trial operation, and in 2023 – in industrial operation. In total, 300 million rubles are provided for its creation in the federal project “Information Security” of the national program “Digital Economy”.
Both ISP RAS employees and representatives of Linux-based product developers will work in the center on a reimbursable basis or on a voluntary basis. “If a product being certified in Russia includes a Linux kernel, then its developer is required to search for vulnerabilities,” explained Khoroshilov. “Nowadays, different companies fulfill these requirements in different ways, some do not have enough resources.”
According to Lyutikov, while market players are being asked to participate in the work of the center with “intellectual contribution” – best practices, experience. Those companies that agree will be able to use the center’s research to certify their products. Moreover, the deputy head of FSTEC believes that access to the results should correspond to the contribution that the company will make. He stressed that while participation in the work of the center will be voluntary, but at the same time he warned that in the future the methodology of certification tests will become more complicated.
Why do you need a center
Linux is distributed under the terms of a free license agreement (the user can use it for any purposes not prohibited by law; has access to the source code to study or revise it, make changes). On the basis of its core, operating systems are created for supercomputers, servers and other equipment, including software included in the register of domestic software, which government agencies must purchase on a priority basis.
As Lyutikov emphasized, a large number of vulnerabilities are being identified in Open Source. In particular, in the summer, one of the Linux kernel developers and Google employee Kees Cook said that the community does not have enough programmers to fix the found vulnerabilities in time. According to the head of FSTEC, in situations where the international Linux community does not consider it necessary to eliminate some errors in the code, the consolidation of efforts should allow Russian specialists to independently carry out this work.