Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Nov 2015 12:59:21 -0800
From: Kees Cook <>
To: "" <>
Cc: Solar Designer <>, Greg KH <>, 
	Ben Hutchings <>, Ard Biesheuvel <>, 
	James Morris <>
Subject: Kernel Self Protection Project

I'm organizing a community of people to work on the various kernel
self-protection technologies (most of which are found in PaX and
Grsecurity). I'm building on the presentation I gave at Kernel Summit
where I sought to convince the other upstream Linux kernel developers
that security is more than fixing bugs, and that we need to bring in
proactive defenses:

This is especially highlighted by the Washington Post article today:

Between the companies that recognize the critical nature of this work,
and with Linux Foundation's Core Infrastructure Initiative happy to
start funding specific work in this area, I think we can really make a

Let's start the work. I've built some wiki pages around my slides,
where we can take notes, list examples, and coordinate:

For now, I'm going to focus on taking a look at the PAX_SIZE_OVERFLOW
gcc plugin, which will also get us the gcc plugin infrastructure.
Other people, please speak up on what you'd like to tackle.

for some non-plugin stuff to look at.

Once we've got plugins, then we should look at PAX_MEMORY_STACKLEAK

If you're feeling like disrupting people who depend on debugging, do

If you're feeling especially bold, start on PAX_KERNEXEC and follow it

Of course, there's plenty of other things, and tons I haven't listed
in the wiki -- please add them and bring them up for discussion here.


Kees Cook
Chrome OS Security

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ