Based on industry reports over the past few days, it appears that Paragon Software will include its New Technology File System 3 (NTFS3) kernel driver in the recent Linux Kernel 5.15 release, which promises improved support for Microsoft's NTFS file system.
Linux creator Linus Torvalds pushed for inclusion of Paragon's NTFS3, saying that it will make working with NTFS systems much easier and, of importance to the security community, will make it easier for developers to cryptographically sign software.
News of NTFS3’s inclusion in the new Linux kernel was first reported on the Linux site Phoronix earlier this month. Since that time, in citing concern over recent supply chain software attacks, Torvalds cautioned Paragon Software not to use GitHub to make any code mergers into the Linux kernel, calling them “useless garbage merges” that developers shouldn’t use to merge anything.
Supply chain attacks are becoming increasingly more common — and are just as devastating as ever, said Jon Gaines, senior application security consultant at nVisium. So, for someone as renowned as Linus Torvalds to make a statement that moves forward Linux’s integrity in terms of ease of development and security is "such a positive development," Gaines said.
“This need has been around for years and his approach to developing tools that make cryptographically-signed software simpler and easier has been incredibly useful to the Linux community,” said Gaines. “I do hope it doesn't get bogged down or get put behind a price tag, but hopefully that won’t be the case. This entire development most likely would have helped mitigate some vulnerabilities found that were already baked into the Linux Kernel in the past.”
John Bambenek, threat intelligence advisor at Netenrich, said the inclusion of Bash — the standard shell for Linux — in Windows 10 demonstrated that the Windows and Linux worlds are moving to create technology that makes both technologies operate more seamlessly.
“Recent major code supply chain breaches show that strict adherence to best practices are key, especially for code as important as the Linux kernel,” Bambenek said. “Even minor changes, such as we saw in the Codecov incident, can have outsized impact among many enterprises. Any code change should have strong controls as to who committed the change, even in the open source world where change control mechanisms are not present. That being said, this also means the private code signing key must be zealously and vigorously protected.”
Saryu Nayyar, CEO at Gurucul, added that when Linux Torvalds spoke out against Paragon using GitHub to merge code into the Linux kernel, the basic point was that the merge command doesn’t provide a proper chain of authorship, nor an explanation of the changes and why they were made.
"Software providers, including the Linux Foundation, have to have a handle on where individual software components come from, and whether those components come from valid and safe sources,” Nayyar said. “That’s why it’s important to do a full pull request rather than a merge. Components occasionally have security holes, or become infected by malware before they make it into another product. While it’s up to each software supplier to guarantee the integrity of their software, enterprises have to run their own integrity tests on any software that gets deployed into production, and monitor that software once it’s actively used."
While NTFS has been around a long time, first shipping in 1993 – it continues to have broad use in Windows-centric networks,” said Oliver Tavakoli, CTO at Vectra.
“This announcement brings production quality NTFS support into the free Linux kernel for the first time and better enables mixed Linux and Windows environments as organizations inexorably move their data center resources to the cloud,” Tavakoli said.
