OpenSSL after Heartbleed

Posted Apr 30, 2017 3:33 UTC (Sun) by citypw (guest, #82661)
In reply to: OpenSSL after Heartbleed by flussence
Parent article: OpenSSL after Heartbleed

> Can you produce any examples? LKML posts, actual patch submissions, anything like that?

Okidoki, I'm giving you one example here and you can confirm with Kees Cook who is one of main KSPP maintainers:

http://www.openwall.com/lists/kernel-hardening/2017/04/26/17

You can find a lot of evidences about PaX team helped upstreaming stuff in kernel-hardening mailinglist:

http://www.openwall.com/lists/kernel-hardening/

> Forgive me if I'm a little skeptical of a project with an absolutely abhorrent track record of shit-flinging in public.

KSPP is the "hero" to most ppl now and it's not the fact. KSPP was supposed to be a good example but everything is too late for now. Can PaX/Grsecurity users get the test patch back? If not, Linux foundation should pay for all of this. From our very "narrow" perspectives( both FLOSS supporter and security consultant), we made our point very clear already:

https://hardenedlinux.github.io/announcement/2017/04/29/h...

OpenSSL after Heartbleed

Posted Apr 30, 2017 17:02 UTC (Sun) by flussence (guest, #85566) [Link] (5 responses)

It sounds to me like there was infighting within grsecurity, one part of it is trying to be a good citizen and reduce their technical debt and another shuts the project down the next day.

Who knows, maybe if they got rid of the toxic elements early on they might be earning a profit today.

OpenSSL after Heartbleed

Posted May 1, 2017 3:58 UTC (Mon) by citypw (guest, #82661) [Link] (4 responses)

Ah, now it becomes problem of PaX/Grsecurity within? Seriously? As a security consultant who has been through endless nightmares in data center for years. I know the very simple truth: PaX/Grsecurity was the only option to those who concerned their security in the age w/o SMEP/SMAP[1], and it's still the most effective defense solution for now and IMOHO it's going to keep ahead of the industry in the future.

[1] Linux kernel mitigation checklist:
https://hardenedlinux.github.io/system-security/2016/12/1...

OpenSSL after Heartbleed

Posted May 1, 2017 12:47 UTC (Mon) by pizza (subscriber, #46) [Link] (3 responses)

It takes a special sort of someone to deny that PaX/grsec's "woes" have a very strong self-inflicted component to them.

Meanwhile, As a SecurityConsultant(tm) you should also know well that outside of the likes of Nuclear weapons, security does not trump all other considerations, and that if grsec was integrated into the Linux kernel tomorrow and every single device updated to use it the day after, it wouldn't make but a small dent in the tide of data breaches, wouldn't have mitigated the likes of heartbleed or shellshock, nor would it prevented the growing pile of botnets running on the trashware we collectively call the IoT -- hardcoded backdoors, anyone?

....What good is a heavily-reinforced steel door to your house if you just leave all your valuables lying on the ground outside?

OpenSSL after Heartbleed

Posted May 2, 2017 2:51 UTC (Tue) by citypw (guest, #82661) [Link] (2 responses)

I trust PaX/Grsecurity only because they have a very good records. Speaking of IoT botnet or the evil things hide behind the surfaces, we've been working on core infrastructure protection for data center and been through a long-term study, observe and test and then finally figured that all I can tell is PaX/Grsecurity is the crucial building block of the defense-in-depth in the situational hardening solution. You can take a glance at the slide if u're interested although it doesn't contain much details;-):

https://github.com/hardenedlinux/hardenedlinux_profiles/b...

S0rry I'm very practical about security. I wouldn't believe what media/LF/CII bragging about how they are going to improve security in next years if you just see what they've done in past decade. Programmer will make mistakes and introduce more bugs. That's the simple reason why we need mitigation. Fortunately, PaX/Grsecurity is the most effective mitigation we had.

I don't have the problem with upstreaming stuff. How can you explain to the customers about those "massive" exploits defeated KSPP just in a couple of months?

https://lwn.net/Articles/721381/

OpenSSL after Heartbleed

Posted May 2, 2017 10:55 UTC (Tue) by pizza (subscriber, #46) [Link] (1 responses)

> How can you explain to the customers about those "massive" exploits defeated KSPP just in a couple of months?

What does this have to do with OpenSSL/Heartbleed and grsec's utter inability to mitigate it or its effects?

> S0rry I'm very practical about security.

FWIW, you have yet to actually demonstrate this.

OpenSSL after Heartbleed

Posted May 2, 2017 14:14 UTC (Tue) by citypw (guest, #82661) [Link]

>> How can you explain to the customers about those "massive" exploits defeated KSPP just in a couple of months?
> What does this have to do with OpenSSL/Heartbleed and grsec's utter inability to mitigate it or its effects?
You didn't answer the question. Btw, I never said PaX/Grsec could mitigate Heartbleed-like issue. Speaking of OpenSSL, I think the media drew your attention on what they want you to see. I was an OpenSSL/GnuTLS maintainer for OpenSuSE/SLES for a while and I know( even I'm not good at crypto stuff) there are potentially bigger impact from some vulns has to be audited and then formed as part of security baseline in some data center. You can google it if your country don't block it though.

>> S0rry I'm very practical about security.
> FWIW, you have yet to actually demonstrate this.
Oh, this is so hard that I can't desmonstrate it. You win, congrats;-)