Date: Fri, 6 Nov 2015 22:27:17 +0100 From: Mickaël Salaün <mic@...ikod.net> To: kernel-hardening@...ts.openwall.com Cc: Solar Designer <solar@...nwall.com>, Greg KH <gregkh@...uxfoundation.org>, Ben Hutchings <ben@...adent.org.uk>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, James Morris <jmorris@...ei.org>, Mathias Krause <minipli@...glemail.com> Subject: Re: Kernel Self Protection Project Excellent initiative! FYI, you can find the grsecurity patches automatically integrated in a consistent Git repository: https://github.com/linux-scraping/linux-grsecurity . I took all patches I could find (with their signatures and changelogs!), starting from the beginning of the Linux Git history (2005: v220.127.116.11), and applying them following branches and merges. The result is quite interesting and help to dive into the Linux/grsecurity internals (with log, blame and bisect). Moreover, it show the work of Brad Spengler backporting fixes. I did the same with PaX but it needs some more work before going public. Regards, Mickaël On 11/05/15 21:59, Kees Cook wrote: > I'm organizing a community of people to work on the various kernel > self-protection technologies (most of which are found in PaX and > Grsecurity). I'm building on the presentation I gave at Kernel Summit > where I sought to convince the other upstream Linux kernel developers > that security is more than fixing bugs, and that we need to bring in > proactive defenses: > http://lwn.net/Articles/662219/ > > This is especially highlighted by the Washington Post article today: > http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/ > > Between the companies that recognize the critical nature of this work, > and with Linux Foundation's Core Infrastructure Initiative happy to > start funding specific work in this area, I think we can really make a > dent. > > Let's start the work. I've built some wiki pages around my slides, > where we can take notes, list examples, and coordinate: > http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project > > For now, I'm going to focus on taking a look at the PAX_SIZE_OVERFLOW > gcc plugin, which will also get us the gcc plugin infrastructure. > Other people, please speak up on what you'd like to tackle. > > I recommend PAX_REFCOUNT, PAX_USERCOPY, and GRKERNSEC_KSTACKOVERFLOW > for some non-plugin stuff to look at. > > Once we've got plugins, then we should look at PAX_MEMORY_STACKLEAK > and PAX_CONSTIFY_PLUGIN. > > If you're feeling like disrupting people who depend on debugging, do > GRKERNSEC_HIDESYM. > > If you're feeling especially bold, start on PAX_KERNEXEC and follow it > up with PAX_MEMORY_UDEREF. > > Of course, there's plenty of other things, and tons I haven't listed > in the wiki -- please add them and bring them up for discussion here. > > -Kees > Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.