Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Nov 2015 14:28:24 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: kernel-hardening@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>, Greg KH
 <gregkh@...uxfoundation.org>,  Ben Hutchings <ben@...adent.org.uk>, Ard
 Biesheuvel <ard.biesheuvel@...aro.org>, James Morris <jmorris@...ei.org>
Subject: Re: Kernel Self Protection Project

On jeu., 2015-11-05 at 12:59 -0800, Kees Cook wrote:
> For now, I'm going to focus on taking a look at the PAX_SIZE_OVERFLOW
> gcc plugin, which will also get us the gcc plugin infrastructure.
> Other people, please speak up on what you'd like to tackle.

Hi Kees, and first many thanks for the initiative. That's definitely something
of interest for me (both personally and professionally).

Something which might also be interesting in kernel self protection is the
“active response” found in grsecurity (GRKERNSEC_SEC_KERN_LOCKOUT) and the
“deter exploite bruteforcing” (GRKERNSEC_BRUTE), which can help prevent
exploitation with repeated attempts.

Some features (especially SEC_KERN_LOCKOUT) are really more useful when UDEREF
and KERNEXEC are available (since those are the most severe violations one can
find), but it could still apply to other violations.

Regards,
-- 
Yves-Alexis


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.