Re: [cii-census] Support Grsecurity/PaX

Shawn <citypw@...>
 

Hi Dan,

It'd be a tough work to break up the features of PaX/Grsec and push
them into upstream, separately. The fact is vanilla kernel community
don't care about mitigation. People who runs GNU/Linux servers for
security critical scenes has been suffering from vanilla kernel guys's
philosophy of A-bug-is-a-bug for years. Some brilliant developers
doesn't even treat "bypass methods" as a threat:

http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
http://www.openwall.com/lists/oss-security/2014/12/08/3

IMOHO, PaX/Grsec is the only option we have for mission critical
infrastructure if we do want to continue using GNU/Linux.

On Wed, Aug 19, 2015 at 9:44 PM, Dan Kohn <dan@...> wrote:
Thanks for the comment. Has anything significant changed since 2009?
https://lwn.net/Articles/313621/

If members of the PAX team would like to apply for a grant to break up
their work and work with upstream to get it included in mainline
Linux, CII would be happy to consider it.

https://www.coreinfrastructure.org/contact
--
Dan Kohn <mailto:dan@...>
tel:+1-415-233-1000


On Wed, Aug 19, 2015 at 9:12 AM, Jason A. Donenfeld <Jason@...> wrote:
Dear Core Infrastructure Initiative:

I do consulting for several different security companies. The uniform advice
across the industry is: if you want to deploy Linux securely, be sure to be
using a Grsecurity/PaX kernel. This advice is given time after time in
reports authored by several security companies for whom I consult. And
companies who take their security seriously wind up using Grsecurity/PaX.
This isn't just security-scare-speak rattling the saber; this is pretty much
essential and true. As somebody who works day in day out developing exploits
and finding vulnerability, I can tell you that Grsecurity/PaX makes my work
considerably more difficult. The defenses Grsecurity/PaX offers are real,
and are useful. They're doing important work, and as a whole they're moving
everybody forward.

Simply put, anybody serious about security uses a Grsecurity/PaX kernel.

Yet, as far as I can see, the developers (CC'd) receive basically no
funding, and since the source they release is GPL, the thousands of
companies who deploy Grsecurity/PaX are not compelled to give any financial
support. As such, the financial situation of the developers is in nearly
constant peril, and this core Linux project lives under a consistent
existential threat.

Were it not for Grsecurity/PaX, I would probably not be using the Linux
kernel in my mission critical infrastructure, in favor of some flavor of BSD
that's copied Grsecurity/PaX's techniques. Or simply in favor of a smaller,
less performant, more minimal BSD kernel, that would be a big hassle, but
would have a smaller attack surface. However, since there is Grsecurity/PaX,
I feel a bit more comfortable deploying Linux. And I think many in the
security industry feel the same.

So, Core Infrastructure Initiative - please - consider supporting them. I'm
not affiliated with them in anyway, but in stumbling across CII, and
reviewing what CII is up to, it struck me that there's currently a glaring
omission in supported projects. Grsecurity/PaX ought to be at the top of the
list.


Thank you,

Jason Donenfeld

_______________________________________________
cii-census mailing list
cii-census@...
https://lists.coreinfrastructure.org/mailman/listinfo/cii-census
_______________________________________________
cii-census mailing list
cii-census@...
https://lists.coreinfrastructure.org/mailman/listinfo/cii-census
--
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

Join cii-discuss@lists.coreinfrastructure.org to automatically receive all group messages.