DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th April 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 369
Default grsecurity® is ceasing public availability of their all patches

grsecurity® is a set of patches for Linux kernel. Purpose of grsecurity® is to harden system security.
Passing the Baton: FAQ
Quote:
This change is effective today, April 26th 2017. Public test patches have been removed from the download area. 4.9 was specifically chosen as the last public release as being the latest upstream LTS kernel will help ease the community transition.
This is a continuation of http://daemonforums.org/showthread.p...ght=grsecurity
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #2   (View Single Post)  
Old 27th April 2017
beiroot beiroot is offline
Fdisk Soldier
 
Join Date: Sep 2016
Posts: 64
Default

Where does that leave linux kernel security?
Can anyone describe the overall state of linux kernel security anno domini 2017?
Reply With Quote
  #3   (View Single Post)  
Old 27th April 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 369
Default

I'm not expert, but thanks to "Kernel Self Protection Project" today overall state of Linux vanilla kernel is better than was in 2014. https://outflux.net/slides/2016/lss/kspp.pdf

On the other hand there is still a lot to do about ROP.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #4   (View Single Post)  
Old 28th April 2017
cynwulf's Avatar
cynwulf cynwulf is offline
Package Pilot
 
Join Date: Mar 2014
Posts: 213
Default

KSPP is an external project led by a google developer. Their goals are to get the kind of patching from grsecurity/PAX kernel hardening "in tree", this has not yet been achieved.
Reply With Quote
  #5   (View Single Post)  
Old 28th April 2017
e1-531g e1-531g is offline
VPN Cryptographer
 
Join Date: Mar 2014
Posts: 369
Default

Quote:
Originally Posted by cynwulf View Post
Their goals are to get the kind of patching from grsecurity/PAX kernel hardening "in tree", this has not yet been achieved.
This is very oversimplified. Over last 2 years KSPP have mainlined several patches into Linux vanilla kernel. Some were from PAX, some not. Some mitigations are not enabled by default config and it is up to Gnu/Linux distros to enable them.
It is still far from Grsecurity state-of-art mitigations, but it is better and it is slowly, constantly being improved.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #6   (View Single Post)  
Old 28th April 2017
cynwulf's Avatar
cynwulf cynwulf is offline
Package Pilot
 
Join Date: Mar 2014
Posts: 213
Default

I did not state that they had achieved nothing or question their achievments.

http://kernsec.org/wiki/index.php/Ke...ection_Project

Read the mission statement and in particular:
Quote:
These kinds of protections have existed for years in the PaX and grsecurity patches, and in piles of academic papers. For various social, cultural, and technical reasons, they have not made their way into the upstream kernel, and this project seeks to change that. Our focus is on kernel self-protection, rather than kernel-supported userspace protections. The goal is to eliminate classes of bugs and eliminate methods of exploitation.
Reply With Quote
  #7   (View Single Post)  
Old 1st May 2017
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Mostly Harmless
 
Join Date: Dec 2015
Location: London
Posts: 73
Default

Arch & Alpine now both have linux-hardened kernel packages that incorporate all of the KSPP patches.

It's better than the stock kernel but a pale shadow of the grsec modifications.
Reply With Quote
  #8   (View Single Post)  
Old 3rd May 2017
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Dutchman living in the UK
Posts: 2,196
Default

Quote:
Originally Posted by Head_on_a_Stick View Post
Arch & Alpine now both have linux-hardened kernel packages that incorporate all of the KSPP patches.

It's better than the stock kernel but a pale shadow of the grsec modifications.
According to the wiki:

Quote:
Arch no longer offers a substantially hardened kernel package now that the PaX and grsecurity patches are no longer publicly available. The linux-hardened package offers a more security-focused set of configuration options but is not currently comparable to even a tiny subset of what was available before. It primarily exists as a placeholder which will pull in patches from a new public kernel hardening patch set in the early planning phases. See the article on the Gentoo wiki for the current loose plans for a new out-of-tree hardening patch set done in collaboration with upstream work.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Tags
grsec, grsecurity, linux

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Grsecurity is going to cease public availability of theirs stable set of patches e1-531g News 2 15th May 2016 05:45 PM
Security VMware patches NFC, Java and SSL J65nko News 0 22nd February 2013 08:27 PM
Security PostgreSQL patches XML flaws J65nko News 0 17th August 2012 09:56 PM
Apache patch patches poorly J65nko News 0 25th November 2011 01:45 PM
FreeBSD 7.0 patches PeterSteele FreeBSD Installation and Upgrading 8 15th November 2008 01:01 AM


All times are GMT. The time now is 07:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick