Kernel support for control-flow enforcement

Posted Jun 26, 2018 16:43 UTC (Tue) by ju3Ceemi (subscriber, #102464)
In reply to: Kernel support for control-flow enforcement by Lionel_Debroux
Parent article: Kernel support for control-flow enforcement

Well, how may I say that ..

The pax stuff is not in a competition, nor is an alternative.
Because, with pragmatism:
- proprietary -> worthless, it will not be used by the mass
- not upstreamed -> ibid

Kernel support for control-flow enforcement

Posted Jun 27, 2018 8:55 UTC (Wed) by citypw (guest, #82661) [Link] (2 responses)

What do you mean "proprietary -> worthless"? Does Intel ever have PCT patents? SGX? CET? Big corps can have their patent and that's all right. Why a small open source consulting company shouldn't do the same? I mean, what's your point?

"it will not be used by the mass", could you plz give some data statistics? AFAIK, PaX's RAP is the only kernel CFI solution in the production environment.

Kernel support for control-flow enforcement

Posted Jun 28, 2018 1:19 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

I assume they meant that since RAP (and the rest of grsec/PaX) is hidden behind grsecurity's support contracts, it will never be integrated into popular branches of Linux (like Android or mainline) and thus never reach the majority of systems that run Linux.

Kernel support for control-flow enforcement

Posted Jul 5, 2018 23:34 UTC (Thu) by nix (subscriber, #2304) [Link]

It doesn't seem impossible to reimplement, just fiddly. And CET is fiddly too, and, uh... weak. Distinctly weak. (Mind you, RAP requires thinking about every language you implement it for -- but not all that terribly much, and CET requires compiler modifications too, so that's a wash.)