State of the Kernel Self Protection Project

Posted Sep 3, 2016 13:59 UTC (Sat) by rahulsundaram (subscriber, #21946)
In reply to: State of the Kernel Self Protection Project by PaXTeam
Parent article: State of the Kernel Self Protection Project

> the proper way to upstream our code would be for somebody to pay for that time.

That's the rub. People are getting paid to do that. It just so happens to be people who have a history of doing it.

to post comments

State of the Kernel Self Protection Project

Posted Sep 3, 2016 14:32 UTC (Sat) by PaXTeam (guest, #24616) [Link] (2 responses)

no, the rub is that while they're supposedly paid to upstream our code instead they end up ripping random stuff out without understanding what it does, how it works, how it was designed, etc. the end result is various ways and levels of brokeness which among others means that i still have to patch these ripped out parts in PaX to make them work properly (it's not a new phenomenon by the way, i've had to do this ever since NX/ASLR appeared upstream). i think that's not a history one would be proud of but then they're not wasting my money at least ;).

State of the Kernel Self Protection Project

Posted Sep 3, 2016 15:04 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link] (1 responses)

> no, the rub is that while they're supposedly paid to upstream our code instead they end up ripping random stuff out

You aren't pushing for that code to be directly upstreamed. That isn't necessarily a pleasant process and it is time consuming but since you aren't interested in doing that, you do end up losing control over how it is done.

State of the Kernel Self Protection Project

Posted Sep 3, 2016 15:12 UTC (Sat) by PaXTeam (guest, #24616) [Link]

> You aren't pushing for that code to be directly upstreamed.

i guess you've successfully concluded an infinite loop now: https://lwn.net/Articles/699300/

State of the Kernel Self Protection Project

Posted Sep 3, 2016 15:36 UTC (Sat) by Lionel_Debroux (subscriber, #30014) [Link] (3 responses)

The entry barrier for _significant_ security improvements to the mainline kernel - as opposed to e.g. KASLR, repeatedly shown to be easily defeatable - is very high.

As mentioned previously on LWN, e.g. https://lwn.net/Articles/662907/ , Linus himself repeatedly refuses some of the most powerful PaX defenses. Not only the hardware protections of recent high-end x86, x86_64 and ARMv7 processors he's mentioning aren't as powerful as PaX's (partially) software protections - see e.g. https://lwn.net/Articles/617945/ - but also, MEMORY_UDEREF and KERNEXEC work on processors about a decade older, and less expensive parts, which means that they could protect the vast majority of existing computers, rather than a tiny minority.
Emese Revfy once spent time, probably a significant amount thereof, making a large patch series constifying lots of needlessly writable, and therefore ripe for abuse, mostly "ops" structures in the kernel. The fact is that relatively few maintainers picked up the pieces.

Fortunately, the number of distros packaging grsec kernels is growing, and programs are slowly being improved / fixed - depending on one's POV - to work on PaX/grsec kernels (e.g. Docker wrt. grsec chroot hardening), which means that it's getting easier for users to get most PaX/grsec benefits. RANDSTRUCT is nullified by shared builds, but the other benefits, spanning a wide range of defenses, remain.

State of the Kernel Self Protection Project

Posted Sep 3, 2016 15:49 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link] (2 responses)

> The entry barrier for _significant_ security improvements to the mainline kernel - as opposed to e.g. KASLR, repeatedly shown to be easily defeatable - is very high.

True but the politics here is unhelpful. The developers involved are not exactly pleasant folks to work with.

State of the Kernel Self Protection Project

Posted Sep 3, 2016 16:25 UTC (Sat) by spender (guest, #23067) [Link] (1 responses)

Are we talking about Linus and Greg KH?

-Brad

State of the Kernel Self Protection Project

Posted Sep 4, 2016 0:59 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

> Are we talking about Linus and Greg KH?

On either sides.