kernel-hardening - Re: [PATCH 00/18] Introduce struct layout randomization plugin

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Thu, 6 Apr 2017 15:51:30 -0700
From: Kees Cook <keescook@...omium.org>
To: Rik van Riel <riel@...hat.com>
Cc: James Morris <jmorris@...ei.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Michael Leibowitz <michael.leibowitz@...el.com>
Subject: Re: [PATCH 00/18] Introduce struct layout
 randomization plugin

On Thu, Apr 6, 2017 at 3:32 PM, Rik van Riel <riel@...hat.com> wrote:
> On Fri, 2017-04-07 at 07:54 +1000, James Morris wrote:
>> On Thu, 6 Apr 2017, Kees Cook wrote:
>>
>> > third party kernel module builds), it still has some value there
>> > since
>> > now all kernel builds would need to be tracked by an attacker.
>>
>> I don't see this case as providing any value.  Tracking a bunch of
>> known
>> seed values seems like a pretty low bar for an attacker.
>
> I agree this is not likely to provide much value for users
> of distribution kernels.
>
> One possible exception might be if Google started distributing
> dozens, or hundreds, of kernel variants randomly to users of
> Nexus devices, and nobody knew which variant each device was
> running.

Right, or in the distribution case, rebuilding distro kernels instead
of using the binary packages.

-Kees

-- 
Kees Cook
Pixel Security

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.