Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Aug 2017 22:13:47 -0700
From: Kees Cook <keescook@...omium.org>
To: Li Kun <hw.likun@...wei.com>
Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [RFD] Is there any plan to port the RAP feature
 from PAX/Grsecurity to main line ?

On Thu, Aug 3, 2017 at 9:23 PM, Li Kun <hw.likun@...wei.com> wrote:
> Is there any plan to port the RAP feature from PAX/Grsecurity to main line ?
> I think that will be a realy effective approach to protect against ROP/JOP.

Yeah, RAP is pretty great! I'm not aware of anyone working on
upstreaming the plugin (and its many function declaration fixes and
other adjustments) currently, though.

I've also been interested to see if kCFI[1] will be published soon,
which would be another option (it needs fewer kernel changes, but has
limitations like needing to build the kernel twice). While the code
isn't released yet, they did provide a comparison[2] to RAP which is
an interesting read.

-Kees

[1] https://github.com/kcfi/docs
[2] https://github.com/kcfi/docs/blob/master/kcfi_vs_rap.txt

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.