Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 6 Nov 2015 22:27:17 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: kernel-hardening@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Greg KH
 <gregkh@...uxfoundation.org>, Ben Hutchings <ben@...adent.org.uk>,
 Ard Biesheuvel <ard.biesheuvel@...aro.org>, James Morris
 <jmorris@...ei.org>, Mathias Krause <minipli@...glemail.com>
Subject: Re: Kernel Self Protection Project

Excellent initiative!

FYI, you can find the grsecurity patches automatically integrated in a consistent Git repository: https://github.com/linux-scraping/linux-grsecurity . I took all patches I could find (with their signatures and changelogs!), starting from the beginning of the Linux Git history (2005: v2.6.14.2), and applying them following branches and merges. The result is quite interesting and help to dive into the Linux/grsecurity internals (with log, blame and bisect). Moreover, it show the work of Brad Spengler backporting fixes.
I did the same with PaX but it needs some more work before going public.

Regards,
 Mickaël


On 11/05/15 21:59, Kees Cook wrote:
> I'm organizing a community of people to work on the various kernel
> self-protection technologies (most of which are found in PaX and
> Grsecurity). I'm building on the presentation I gave at Kernel Summit
> where I sought to convince the other upstream Linux kernel developers
> that security is more than fixing bugs, and that we need to bring in
> proactive defenses:
> http://lwn.net/Articles/662219/
> 
> This is especially highlighted by the Washington Post article today:
> http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
> 
> Between the companies that recognize the critical nature of this work,
> and with Linux Foundation's Core Infrastructure Initiative happy to
> start funding specific work in this area, I think we can really make a
> dent.
> 
> Let's start the work. I've built some wiki pages around my slides,
> where we can take notes, list examples, and coordinate:
> http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
> 
> For now, I'm going to focus on taking a look at the PAX_SIZE_OVERFLOW
> gcc plugin, which will also get us the gcc plugin infrastructure.
> Other people, please speak up on what you'd like to tackle.
> 
> I recommend PAX_REFCOUNT, PAX_USERCOPY, and GRKERNSEC_KSTACKOVERFLOW
> for some non-plugin stuff to look at.
> 
> Once we've got plugins, then we should look at PAX_MEMORY_STACKLEAK
> and PAX_CONSTIFY_PLUGIN.
> 
> If you're feeling like disrupting people who depend on debugging, do
> GRKERNSEC_HIDESYM.
> 
> If you're feeling especially bold, start on PAX_KERNEXEC and follow it
> up with PAX_MEMORY_UDEREF.
> 
> Of course, there's plenty of other things, and tons I haven't listed
> in the wiki -- please add them and bring them up for discussion here.
> 
> -Kees
> 



Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.