How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Read those first. This is the post I'll link to for similar questions in the future.

People who suggest what patrick_g have suggested are generally ignorant of our history and what we've done, and honestly I find the constant suggestions (even if good-intentioned) from people who don't contribute to furthering security or to our project in any way pretty tiresome and rude.

Both the PaX Team and myself do this work in our own free time. It already uses up more of my time than I'm comfortable with. Where do you propose this additional time come from to do the things you suggest? Take note that that additional time isn't a one-time cost, it would be a cost any time we want to push any additions or changes. It would still be a cost to us every time the kernel is updated. If you think otherwise, ask who is currently ensuring that kptr_restrict in the upstream kernel does what it claims?

The only work that interests me is dealing with the unsolved, difficult security problems. I don't want to spend my time playing politics. I paid out of my own pocket in 2010 to attend the Linux Security Summit and present on what the current state of security was in grsecurity and suggesting ways Linux could harden the kernel in the next decade (judging by how long it takes to rip off our features). Do you know how many major kernel developers attended the summit? None! They were all busy in their own non-security subgroups. It was overall an SELinux circlejerk and a waste of time (other than convincing Kees Cook apparently).

What has been suggested was already attempted by Vasiliy Kulikov during the 2011 GSOC. Here were the results:
http://openwall.info/wiki/Owl/kernel-hardening
What got merged upstream as a result of this?
A variant of /proc restrictions from Openwall and grsec (but without my additional changes).
Openwall's HARDEN_SHM as an optional sysctl.

Dan Rosenberg got Openwall's dmesg restriction merged upstream and attempted to get grsecurity's HIDESYM feature merged upstream. While the dmesg feature is complete (not difficult as it's only a single line of code basically) the HIDESYM feature is woefully incomplete and thus quite useless. None of the kernel developers nor Dan himself care to update it so that it does what it claims.

Seriously, this is all! How much time was wasted on all this? Over 600 emails were ultimately sent on the kernel-hardening list alone for this:
http://www.openwall.com/lists/kernel-hardening/

What have other people done in this area? Ubuntu's kernel hardening roadmap is nearly completely Openwall/grsecurity ripoffs:
https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening
It hasn't been updated in nearly a year, unsurprisingly not long after Kees Cook left Canonical for Google.

In September, 2012 a "Linux security workgroup" was formed:
http://www.openwall.com/lists/kernel-hardening/2012/09/24/1
They have yet to accomplish anything AFAIK.

I don't believe in wasting time on these top-down exercises, where we build some organization or framework with the expectation that the actual useful people or code will just fall into place. It's almost always a failure. Instead I've put my focus on actually creating things. During the same timeframe as above (2011 to now), what have I alone accomplished?

See http://grsecurity.net/the_case_for_grsecurity.pdf slide 15 onward

Bruteforce deterrence for suid/sgid binaries
Preventing module auto-loading by unprivileged users
Enforcing that only filesystem modules can be loaded via mount
Banning an unprivileged user until reboot if he/she causes a detected kernel corruption
Whitelisting specific slab caches when doing copies between userland and the kernel. A copy_from_user could not be abused, for instance, to perform a copy directly into a task struct now.
Disallowed ptracing unreadable binaries
A multithreaded app's change from uid 0 to non-0 will be shared among all threads. Glibc already does this in userland, but other libcs/languages do not.
Race-free implementation of Apache's SymlinksIfOwnerMatch
Prevented suid apps from being able to have alternate memory layouts
Reduced ability to lessen stack entropy for suid apps
Implemented a special ID to protect various /proc entries against future /proc/pid/mem-style vulnerabilities
Automatically protected /proc entries and other seq_file users against kernel address leakage.
Prevented infoleaking of write timings against block/character devices
Killed reliable technique of overwriting another thread's userland stack due to distros not enabling -fstack-check on network services
Protected the BPF JIT against use for in-kernel arbitrary code execution
Implemented PXN support on ARM with VMSAv7, LPAE on or off
Implemented PAX_KERNEXEC on ARM LPAE
Implemented PAX_KERNEXEC/PAX_UDEREF on ARMv6+

We'd need a couple more pages to list what the PaX Team has accomplished in the same time-frame. The "toolchain support" section of http://pax.grsecurity.net/docs/PaXTeam-LATINOWARE12-PaX-l...
lists just some of these.

Now that the general ignorance has been laid bare, do you really want to demand that I waste the time I currently spend creating the above and put it toward fighting with Linus and others to get a measly percentage of these previous improvements merged upstream? It's telling really that on this site, people want to complain to or insult the messenger instead of asking questions and learning something about how security can be improved.

In 2008, we made the case (and proved really, it's not up for debate at this point) that the upstream developers were intentionally covering up security vulnerabilities and that this was harmful for Linux as a whole. The overwhelming response to Linus covering up security vulnerabilities was: "Yes, and?".

In recent news, this has screwed over Linux users yet again with the publication of CVE-2013-0871: http://seclists.org/oss-sec/2013/q1/326. The vulnerability was reported to security@ last month and yet across the board there is not a single vendor report or fix. This despite a Red Hat employee committing the fix. I however spotted the fix last month and backported it, as it matched the model I joked about in my H2HC presentation as a way to find silent upstream vuln fixes. Solar Designer's comments in the reply raise some serious questions that people should be asking. If history is any judge, though, they won't, and the status-quo will continue.

The majority of Linux users apparently are happy with the constant cycle of updates, bugfixing as the way to security, the "a bug is a bug" mantra, the appeal-to-authority SELinux, and other associated snake-oil and bad security advice. I'm no longer interested in helping these people; I believe in a security meritocracy. I'm not going to change the minds of users in general who aren't receptive to new ideas. For them, there's an entire parasitic security industry of AV/IDS/IPS/"Cloud" vendors who would be happy to take their money and make them feel good about it.

As I said before, this problem is not about us: it's about you and the rest of the Linux community. What are you doing to push for change from the status-quo? What are you doing to improve security and how it's handled? What are you doing to extend our work? What are you doing to support our work and make our efforts easier?

-Brad

We need to break that dichotomy between "users are not interested in security - look I can break their system any day in 2012" and "they found a DoS on my personal worthless phone and want me to stop me from making calls for business for one year - theses security guys are ivory tower idiots". (Note how both statements are equally stupid.)

That dichotomy *is* a problem. Maybe it has been maintained for a long time by people taking advantage of it for their own interest (such as writing reports about how long that single bug took to fix in the kernel, or grabbing budgets for entirely unsecure e-voting machines and other miscellaneous devices).
It has also been maintained by some of our short sightedness. We are culprit of not having studied enough the reasons for the existing disagrement on the level of necessary computer security mechanism in our systems, it deserves more studying.

Stated differently, the day we will say "that performance/usability vs. security debate is over, we know how to decide and agree on such questions (without forking entirely different systems)" - that day we will be able to claim higher security than proprietary systems. And that's doable.