Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 7 Dec 2016 13:09:09 -0800
From: Kees Cook <keescook@...omium.org>
To: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: Regarding PaX

On Tue, Dec 6, 2016 at 11:46 PM, manjunatha srinivasan
<manjunathan.n@...il.com> wrote:
> Hi

Hi!

>
> I am new to PaX.
>
> I have plan to port only PaX (i.e mutual exclusive write/execute
> pages) for latest kernel (kernel.org) for x86_64 architectures. From
> other place I found patch from
> (https://git.m-privacy.de/linux-mprivacy-4.1.git) from branch
> 'paxonly' for  4.1  kernel. From the commit ID
> 9474667100c85c944a0d71ede82ef85e3ab502dc (123248 lines).
> In other place from https://grsecurity.net/download.php, I can see the
>  patch 'grsecurity-3.1-4.8.12-201612062306.patch' .
>
> I don't' know where to start from these places. Please let me know
> about information on internals i.e. about code implementation and
> related documents of PaX ( i.e. mutual exclusive write/execute
> pages.).

PaX collects a lot of features. It sounds like you're interested only
in the W^X mmap/mprotect/etc feature?

> Also if want to do of porting PaX (i.e mutual exclusive write/execute
> pages) from scratch where can I find internals of it. Is that
> information from https://pax.grsecurity.net/ is enough idea for kick
> start.
> Please let me know the prerequisite knowledge on Linux subsystem like
> memory management before starting.

I would generally recommend reading the code to understand what's
happening. Other folks on the list may have better pointers for where
to learn about Linux mm, but it's a pretty complex area of the kernel.

For the first step, I'd recommend writing tests that currently fail
against the upstream kernel, then extract the pieces from PaX that
cover the feature you're interested in, and make sure your tests then
pass. From there, cutting up the patches into logically distinct
pieces would be next, which would be followed by upstream review (and
likely a few rounds of adjustments to the patches), and hopefully
finally getting them accept.

> Please let me know any openwall  git repository is  available.

Openwall just hosts this mailing list.

> If you feel this not the correct place of asking, please advice where
> should I post.

This is the right place to discuss development and porting of security
features for the upstream Linux kernel.

Thanks for the interest!

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.