On 21 Aug 2015 at 18:19, Kevin P. Fleming (BLOOMBERG/ 731 LEX) wrote:
first of all, thanks for your detailed response and new information that
I was not aware of. However as much as it clarified some points, it also
raised new questions. You see, I brought up the issue with fuzzing and
static analysis because Dan Kohn said this earlier:
Jason, if CII funded Grsecurity/PaX for a year or two, it would keepThe way I read this response suggested to me that long-term viability is
an important (and possibly deal breaker?) factor in your funding decisions.
Now you are saying that it was not for the mentioned projects. This leaves
me confused as I do not know what applies and does not apply to a project
such as ours.
You also said that grsecurity was not comparable to fuzzing/static analysis
and is more like a standalone(?) product. I beg to differ here as we produce
much more than just a kernel patch albeit it is perhaps less advertised.
Namely, due to the nature of our proactive defense mechanisms (both runtime
and compile time), they are also good at catching bugs (almost always with
security impact) and we have found and fixed a number of them for the past
few years. One would think that exposing such technologies to a wider audience
would have a much bigger impact on everyone's security than our own limited