This is an old revision of the document!


Kernel-hardening project

The project consists of extracting security hardening changes from various patches (which the mentor will point out), forward-porting them to the latest mainstream kernels, making it easy to enable/disable the hardening measures (both compile- and runtime), adding documentation, properly submitting to and work with LKML (make proposals and own discussions to completion: either rejection or acceptance).

This may optionally involve work with other kernel branches and other upstreams as well (OpenVZ, Red Hat, Ubuntu).

Features from -ow patch (Linux 2.0-2.4)

BINFMT_ELF_AOUT

HARDEN_STACK

Status: pending.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/18/8

The patch itself (not ready for inclusing, see the link above):

http://www.openwall.com/lists/kernel-hardening/2011/07/21/3

HARDEN_VM86

Status: needs discussion.

The problem:

http://www.openwall.com/lists/kernel-hardening/2011/06/19/2

HARDEN_PAGE0

Status: done (merged in 2.6.x).

Quoting Solar:

“Historically, I introduced it into 2.4.x-ow before there was mmap_min_addr, then when mainline went with mmap_min_addr and it got into upstream 2.4.x kernels, I dropped my code and made the HARDEN_PAGE0 option merely change the default for mmap_min_addr (it was 0 in 2.4.x by default, IIRC). Now that the default has also changed upstream, there's no need for this option anymore.”

HARDEN_LINK / HARDEN_FIFO

HARDEN_PROC

HARDEN_RLIMIT_NPROC

HARDEN_SHM

Status: done (merged into Linux 3.1)

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/06/22/4

ASCII-Armor (base address for libraries)

Special handling of 0,1,2 fds for setuid binaries

Status: done (implemented in glibc loader).

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/5

Privileged IP aliases

Status: not needed.

It was considered redundant.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/5

Features from GRSecurity

MODHARDEN

KMEM / IO / ROFS

SOCKET / SOCKET_SERVER

PROC / SYSFS_RESTRICT

BRUTE / KERN_LOCKOUT

CHROOT*

DMESG

TPE

BLACKHOLE

Features from PaX

PAX_USERCOPY

PAX_REFCOUNT

PAX_MPROTECT

PAX_KSTACK

PAX_MEMORY_SANITIZE

Standalone features

log spoofing protection

32/64-bit restrictions in containers

Owl/kernel-hardening.1332692057.txt · Last modified: 2012/03/25 18:14 by segoon
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux