Merge pull request #6152 from geekpi/master

translated
This commit is contained in:
geekpi 2017-10-22 19:58:52 -05:00 committed by GitHub
commit 077ee64257
2 changed files with 41 additions and 43 deletions

View File

@ -1,43 +0,0 @@
translating---geekpi
Linus Torvalds says targeted fuzzing is improving Linux security
============================================================
Linux 4.14 release candidate five is out. "Go out and test," says Linus Torvalds.
![linus-toravlds-linuxcon-toronto.jpg](http://zdnet4.cbsistatic.com/hub/i/r/2016/09/13/02537e55-6620-4c3b-aa09-c9c068f3823b/resize/770xauto/b866caa8695edbec68f67da0e9a411e9/linus-toravlds-linuxcon-toronto.jpg)
Announcing the fifth release candidate for the Linux kernel version 4.14, Linus Torvalds has revealed that fuzzing is producing a steady stream of security fixes.
Fuzzing involves stress testing a system by generating random code to induce errors, which in turn may help identify potential security flaws. Fuzzing is helping software developers catch bugs before shipping software to users.
Google uses a variety of fuzzing tools to find bugs in its and other vendors' software. Microsoft has launched the [Project Springfield][1] fuzzing service to allow enterprise customers to test their own software.
As Torvalds points out, Linux kernel developers have been using fuzzing programs since the beginning, such as tools like "crashme", which was released in 1991 and nearly 20 years later was [used by Google security researcher Tavis Ormandy][2] to test how well shielded a host is when untrusted data is being processed in a virtual machine.
"The other thing perhaps worth mentioning is how much random fuzzing people are doing, and it's finding things," [writes][3] Torvalds.
"We've always done fuzzing (who remembers the old "crashme" program that just generated random code and jumped to it? We used to do that quite actively very early on), but people have been doing some nice targeted fuzzing of driver subsystems etc, and there's been various fixes (not just this last week either) coming out of those efforts. Very nice to see."
Torvalds mentions that 4.14's development has until now "felt a bit messier than perhaps should have been" but has now smoothed out, and runs through some of the fixes in this build for x86 systems and systems with AMD chips. There are also updates for several drivers, core kernel components, and tooling.
As previously [reported][4], Linux 4.14 is 2017's Long-Term Stable release, which has so far introduced core memory management features, device driver updates, and changes to documentation, architecture, filesystems, networking and tooling.
--------------------------------------------------------------------------------
via: http://www.zdnet.com/article/linus-torvalds-says-targeted-fuzzing-is-improving-linux-security/
作者:[Liam Tung ][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[1]:http://www.zdnet.com/article/microsoft-seeks-testers-for-project-springfield-bug-detection-service/
[2]:http://taviso.decsystem.org/virtsec.pdf
[3]:http://lkml.iu.edu/hypermail/linux/kernel/1710.1/06454.html
[4]:http://www.zdnet.com/article/first-linux-4-14-release-adds-very-core-features-arrives-in-time-for-kernels-26th-birthday/
[5]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[6]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[7]:http://www.zdnet.com/topic/security/

View File

@ -0,0 +1,41 @@
Linus Torvalds 说针对性的模糊测试正提升 Linux 安全性
============================================================
Linux 4.14 发布候选第五版已经出来。Linus Torvalds 说:“可以去测试了。”
![linus-toravlds-linuxcon-toronto.jpg](http://zdnet4.cbsistatic.com/hub/i/r/2016/09/13/02537e55-6620-4c3b-aa09-c9c068f3823b/resize/770xauto/b866caa8695edbec68f67da0e9a411e9/linus-toravlds-linuxcon-toronto.jpg)
随着宣布推出 Linux 内核 4.14 的第五个候选版本Linus Torvalds 表示模糊测试正产生一系列稳定的安全更新
模糊测试通过产生随机代码来引发错误来对系统进行压力测试,从而有助于识别潜在的安全漏洞。模糊测试正在帮助软件开发人员在向用户发布软件之前捕获错误。
Google 使用各种模糊测试工具来查找其他供应商软件中的错误。微软推出了 [Project Springfield][1] 模糊测试服务,它能让企业客户测试自己的软件。
正如 Torvalds 指出的那样Linux 内核开发人员从一开始就一直在使用模糊测试程序,例如 1991 年发布的工具 “crashme”它在近 20 年后被[ Google 安全研究员 Tavis Ormandy ][2] 用来测试在虚拟机中处理不受信任的数据时,宿主机是否受到良好保护。
Torvalds 说:“另外值得一提的是人们有做多少随机化模糊测试,而且这正在发现东西。”
“我们一直在做模糊测试(谁记得只能生成随机代码,并跳转过去的老 “crashme” 程序?我们过去很早就这样做),但是人们一直在做一些很好的针对性的驱动子系统等等,而且已经有了各种各样的修复(不仅仅是上周的这些)。很高兴可以看到。
Torvalds 提到到目前为止4.14 的发展“比预想的要麻烦一些”,但现在已经好了,并且在这个版本有一些 x86 系统以及带 AMD 芯片的系统的修复。还有几个驱动程序、核心内核组件和工具的更新。
如前[所述][4]Linux 4.14 是 2017 年的长期稳定版本,迄今为止,它引入了核心内存管理功能、设备驱动程序更新以及文档、架构、文件系统、网络和工具的修改。
--------------------------------------------------------------------------------
via: http://www.zdnet.com/article/linus-torvalds-says-targeted-fuzzing-is-improving-linux-security/
作者:[Liam Tung ][a]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[1]:http://www.zdnet.com/article/microsoft-seeks-testers-for-project-springfield-bug-detection-service/
[2]:http://taviso.decsystem.org/virtsec.pdf
[3]:http://lkml.iu.edu/hypermail/linux/kernel/1710.1/06454.html
[4]:http://www.zdnet.com/article/first-linux-4-14-release-adds-very-core-features-arrives-in-time-for-kernels-26th-birthday/
[5]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[6]:http://www.zdnet.com/meet-the-team/eu/liam-tung/
[7]:http://www.zdnet.com/topic/security/