From: Yves-Alexis Perez <corsac@debian.org>
To: kernel-hardening@lists.openwall.com
Cc: Solar Designer <solar@openwall.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ben Hutchings <ben@decadent.org.uk>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
James Morris <jmorris@namei.org>
Subject: Re: [kernel-hardening] Kernel Self Protection Project
Date: Fri, 06 Nov 2015 14:28:24 +0100 [thread overview]
Message-ID: <1446816504.8412.35.camel@debian.org> (raw)
In-Reply-To: <CAGXu5jJ3FgxXK9WuOLRwnEq=y4dS+CTm+WQBxWe3sYZ7e9p6Gg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
On jeu., 2015-11-05 at 12:59 -0800, Kees Cook wrote:
> For now, I'm going to focus on taking a look at the PAX_SIZE_OVERFLOW
> gcc plugin, which will also get us the gcc plugin infrastructure.
> Other people, please speak up on what you'd like to tackle.
Hi Kees, and first many thanks for the initiative. That's definitely something
of interest for me (both personally and professionally).
Something which might also be interesting in kernel self protection is the
“active response” found in grsecurity (GRKERNSEC_SEC_KERN_LOCKOUT) and the
“deter exploite bruteforcing” (GRKERNSEC_BRUTE), which can help prevent
exploitation with repeated attempts.
Some features (especially SEC_KERN_LOCKOUT) are really more useful when UDEREF
and KERNEXEC are available (since those are the most severe violations one can
find), but it could still apply to other violations.
Regards,
--
Yves-Alexis
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2015-11-06 13:28 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-05 20:59 [kernel-hardening] Kernel Self Protection Project Kees Cook
2015-11-05 21:14 ` David Windsor
2015-11-06 19:37 ` Kees Cook
2015-11-06 19:42 ` Greg KH
2015-11-06 13:28 ` Yves-Alexis Perez [this message]
2015-11-06 18:11 ` Kees Cook
2015-11-06 18:32 ` Richard Weinberger
2015-11-08 10:39 ` Yves-Alexis Perez
2015-11-06 16:00 ` [kernel-hardening] " Quentin Casasnovas
2015-11-06 18:15 ` Kees Cook
2015-11-07 9:52 ` Quentin Casasnovas
2015-11-08 6:50 ` Kees Cook
2015-11-08 10:45 ` Quentin Casasnovas
2015-11-09 21:29 ` Kees Cook
2015-11-09 21:44 ` Valdis.Kletnieks
2015-11-09 21:55 ` David Windsor
2015-11-09 23:35 ` Kees Cook
2015-11-10 8:32 ` Quentin Casasnovas
2015-11-09 23:36 ` Kees Cook
2015-11-09 10:02 ` Rasmus Villemoes
2015-11-09 10:33 ` Quentin Casasnovas
2015-11-09 19:24 ` Rasmus Villemoes
2015-11-09 21:34 ` Kees Cook
2015-11-09 21:59 ` [kernel-hardening] Binary blobs HacKurx
2015-11-09 22:20 ` Valdis.Kletnieks
2015-11-09 23:33 ` Kees Cook
2015-11-13 8:04 ` HacKurx
2015-11-13 8:07 ` Daniel Micay
2015-11-13 8:55 ` HacKurx
2015-11-06 21:27 ` [kernel-hardening] Kernel Self Protection Project Mickaël Salaün
2015-11-06 22:04 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1446816504.8412.35.camel@debian.org \
--to=corsac@debian.org \
--cc=ard.biesheuvel@linaro.org \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=solar@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.