SoylentNews

The Status of Linux Kernel Hardening

posted by janrinok on Saturday November 12 2016, @06:27AM   
from the we've-got-to-try dept.

Phoenix666 writes:

At the 2015 Kernel Summit, Kees Cook said, he talked mostly about the things that the community could be doing to improve the security of the kernel. In 2016, instead, he was there to talk about what had actually been done. Kernel hardening, he reminded the group, is not about access control or fixing bugs. Instead, it is about the kernel protecting itself, eliminating classes of exploits, and reducing its attack surface. There is still a lot to be done in this area, but the picture is better than it was one year ago.

One area of progress is in the integration of GCC plugins into the build system. The plugins in the kernel now are mostly examples, but there will be more interesting ones coming in the future. Plugins are currently supported for the x86, arm, and arm64 architectures; he would like to see that list grow, but he needs help from the architecture maintainers to validate the changes. Plugins are also not yet used for routine kernel compile testing, since it is hard to get the relevant sites to install the needed dependencies.

Linus asked how much plugins would slow the kernel build process; linux-next maintainer Stephen Rothwell also expressed interest in that question, noting that "some of us do compiles all day." Kees responded that there hadn't been a lot of benchmarking done, but that the cost was "not negligible." It is, though, an important part of protecting the kernel.

---

Original Submission

• Re:Good luck. Re:Good luck. (Score: 1, Offtopic) by jasassin on Saturday November 12 2016, @08:51AM

  by jasassin (3566) <jasassin@gmail.com> on Saturday November 12 2016, @08:51AM (#425978) Homepage Journal

  Yeah dude, that's the same bullshit rationalization I told myself back in high school when I installed InvisibleOasis on the teacher's Mac Classic

  Keywords there being teacher's Mac.

  That's how long I've been doing this shit, bitch.

  Get back to me when you use man pages (with no prior C knowledge) to code (in about 30 minutes) a fake login for vt100 dumb terminals on an AIX system (and it works flawlessly).

  Yay! You installed a program on a Mac, I wrote a program in C to fake a login screen and steal the login/password... and I'm the bitch?

  We have a word for people like you: chomper

  --
  jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A

  Parent

  Starting Score:	1		point
  Moderation		-1
  Offtopic=1, Total=1
  Extra 'Offtopic' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		1

• Re:Good luck. Re:Good luck. (Score: 0) by Anonymous Coward on Saturday November 12 2016, @09:13AM

  by Anonymous Coward on Saturday November 12 2016, @09:13AM (#425985)

  You had man pages? When I was single digits years old I was coding login prompts in Applesoft Basic with nothing but a book from the public library for the urban poor.

  Parent

  • Re:Good luck. Re:Good luck. (Score: 2) by jasassin on Saturday November 12 2016, @09:24AM

    by jasassin (3566) <jasassin@gmail.com> on Saturday November 12 2016, @09:24AM (#425988) Homepage Journal

    I give up.

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A

    Parent

    • Re:Good luck. (Score: 2) by Gaaark on Saturday November 12 2016, @06:04PM

      by Gaaark (41) on Saturday November 12 2016, @06:04PM (#426091) Journal

      Yeah, but the AC gives up, going uphill both ways in a snow storm while dragging his dead daddy by the penis!

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---

      Parent

  • Re:Good luck. (Score: 1, Offtopic) by art guerrilla on Saturday November 12 2016, @12:38PM

    by art guerrilla (3082) on Saturday November 12 2016, @12:38PM (#426024)

    um, i believe the correct terminology now is 'person pages'...
    get with the times, knuckle-draggers...

    Parent