Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Jan 2017 12:25:35 -0800
From: Kees Cook <keescook@...omium.org>
To: Kaiwan N Billimoria <kaiwan@...wantech.com>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: New to KSPP, would like to contribute

On Tue, Jan 10, 2017 at 4:42 AM, Kaiwan N Billimoria
<kaiwan@...wantech.com> wrote:
> Thanks Kees,
>>
>>
>> Welcome to the list! If you're familiar with mm areas, I'd say a great
>> place to start would be to help finish up the zero-poisoning work,
>> especially extracting the optimizations that PaX did for slabs to
>> avoid, etc.
>
> Ok so I really have no idea reg PaX and optimizations done for slab via it..
> Could you
> enlighten me pl? Point me to relevant links perhaps..

Sure thing! I would recommend downloading the latest grsecurity patchset:
https://grsecurity.net/download.php#test
(currently for a 4.8.7 kernel) and apply it there. Once you have a
tree you can examine, I would look at how CONFIG_PAX_MEMORY_SANITIZE
works, and especially note this from the security/Kconfig:

          The tradeoff is performance impact, on a single CPU system kernel
          compilation sees a 3% slowdown, other systems and workloads may vary
          and you are advised to test this feature on your expected workload
          before deploying it.

          The slab sanitization feature excludes a few slab caches per default
          for performance reasons.  To extend the feature to cover those as
          well, pass "pax_sanitize_slab=full" as kernel command line parameter.

          To reduce the performance penalty by sanitizing pages only, albeit
          limiting the effectiveness of this feature at the same time, slab
          sanitization can be disabled with the kernel command line parameter
          "pax_sanitize_slab=off".

I'd like to see the mentioned excluded slab caches also done in the
kernel, along with similar kernel command line options. Additionally,
getting all the upstream stuff behind a single CONFIG (similar to
CONFIG_PAX_MEMORY_SANITIZE) would be great, instead of having to set 3
CONFIGs and 2 kernel parameters. :)

Let me know if you need more details...

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.