Table of Contents

Kernel-hardening project

The project consists of extracting security hardening changes from various patches (which the mentor will point out), forward-porting them to the latest mainstream kernels, making it easy to enable/disable the hardening measures (both compile- and runtime), adding documentation, properly submitting to and work with LKML (make proposals and own discussions to completion: either rejection or acceptance).

This may optionally involve work with other kernel branches and other upstreams as well (OpenVZ, Red Hat, Ubuntu).

Features from -ow patch (Linux 2.0-2.4)

http://www.openwall.com/lists/kernel-hardening/2011/07/29/5

BINFMT_ELF_AOUT

Status: sent upstream.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/30/1

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/08/08/1

Relevant upstream patch:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d20894a23708c2af75966534f8e4dedb46d48db2

HARDEN_STACK

Status: pending.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/18/8

The patch itself (not ready for inclusing, see the link above):

http://www.openwall.com/lists/kernel-hardening/2011/07/21/3

HARDEN_VM86

Status: needs discussion.

The problem:

http://www.openwall.com/lists/kernel-hardening/2011/06/19/2

HARDEN_PAGE0

Status: done (merged in 2.6.x).

Quoting Solar:

“Historically, I introduced it into 2.4.x-ow before there was mmap_min_addr, then when mainline went with mmap_min_addr and it got into upstream 2.4.x kernels, I dropped my code and made the HARDEN_PAGE0 option merely change the default for mmap_min_addr (it was 0 in 2.4.x by default, IIRC). Now that the default has also changed upstream, there's no need for this option anymore.”

HARDEN_LINK / HARDEN_FIFO

Status: pending.

Work by Kees Cook:

http://marc.info/?l=linux-security-module&m=130023775422255&w=2

http://www.openwall.com/lists/kernel-hardening/2012/01/07/1 (symlink restrictions on sticky directories)

http://www.openwall.com/lists/kernel-hardening/2012/02/21/20 (hardlink creation restrictions)

HARDEN_PROC

Status: done (merged in Linux 3.3).

Attempts:

http://www.openwall.com/lists/kernel-hardening/2011/06/12/5

http://www.openwall.com/lists/kernel-hardening/2011/06/12/12

http://www.openwall.com/lists/kernel-hardening/2011/06/15/1

http://www.openwall.com/lists/kernel-hardening/2011/06/15/19

http://www.openwall.com/lists/kernel-hardening/2011/08/10/12 (fine granted)

http://www.openwall.com/lists/kernel-hardening/2011/11/19/4

HARDEN_RLIMIT_NPROC

Status: done (merged into Linux 3.1)

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/06/12/9

http://www.openwall.com/lists/kernel-hardening/2011/07/29/3

http://www.openwall.com/lists/kernel-hardening/2011/08/08/2

It got positive Linus' reaction:

http://www.openwall.com/lists/kernel-hardening/2011/07/06/8

HARDEN_SHM

Status: done (merged into Linux 3.1)

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/06/22/4

ASCII-Armor (base address for libraries)

Status: pending.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/23/6

The patch:

http://www.openwall.com/lists/kernel-hardening/2011/07/30/2

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/08/12/9

Special handling of 0,1,2 fds for setuid binaries

Status: done (implemented in glibc loader).

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/5

Privileged IP aliases

Status: not needed.

It was considered redundant.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/5

Features from GRSecurity

Overview:

http://www.openwall.com/lists/owl-dev/2011/04/23/1

MODHARDEN

KMEM / IO / ROFS

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/07/23/2

SOCKET / SOCKET_SERVER

FIXME

Discussions:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/6

PROC / SYSFS_RESTRICT

Status: WIP.

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/06/14/1

Attempts:

http://thread.gmane.org/gmane.linux.kernel/1141829/focus=1143409

http://www.openwall.com/lists/kernel-hardening/2011/09/27/3 (slabinfo, merged at Sep 2011)

http://www.openwall.com/lists/kernel-hardening/2011/09/27/4 (meminfo, NAK'ed)

https://lkml.org/lkml/2011/11/7/340 (interrupts, NAK'ed)

BRUTE / KERN_LOCKOUT

CHROOT*

DMESG

TPE

BLACKHOLE

Features from PaX

Overview:

http://www.openwall.com/lists/kernel-hardening/2011/06/26/3

PAX_USERCOPY

Status: to be done.

Attempts:

http://www.openwall.com/lists/kernel-hardening/2011/07/03/4

PAX_REFCOUNT

Status: WIP.

http://www.openwall.com/lists/kernel-hardening/2012/02/16/1

PAX_MPROTECT

PAX_KSTACK

PAX_MEMORY_SANITIZE

Standalone features

log spoofing protection

Status: to be done

Attempts:

http://www.openwall.com/lists/kernel-hardening/2011/06/22/2

http://www.openwall.com/lists/kernel-hardening/2011/06/23/2

Linus' reaction:

http://www.openwall.com/lists/kernel-hardening/2011/07/03/7

32/64-bit restrictions in containers

Status: rejected (as it is a subset of seccomp v2).

Discussion:

http://www.openwall.com/lists/kernel-hardening/2011/08/07/1

http://www.openwall.com/lists/kernel-hardening/2011/08/15/4

Attempt:

http://www.openwall.com/lists/kernel-hardening/2011/08/12/14