State of the Kernel Self Protection Project

Regarding KASLR and the article/slides, I read them just fine. What matters here (and where the spin occurs) is not in what's said, but in what isn't. That KASLR is being extended is just more cargo cult security and a distraction. What won't ever be mentioned is that there are generic local defeats circulating in public that none of these extensions deal with whatsoever. It's a way to avoid admitting it's a nonsense mitigation to begin with, if attackers even in the most strict sandboxes can defeat it. Upstream won't do anything to deal with it either likely because it's not clear if anything can be done about it. KSPP wants the image of security progress, so you can't expect Kees to admit the uselessness of KASLR in his talk, nor could you expect him to announce himself KSPP is bumbling along, when he needs to give the impression that it's a successful effort in order to attract more free work for the Linux Foundation.

-Brad