Stories
Slash Boxes
Comments

SoylentNews is people

The Status of Linux Kernel Hardening

posted by janrinok on Saturday November 12 2016, @06:27AM   Printer-friendly
from the we've-got-to-try dept.

Phoenix666 writes:

At the 2015 Kernel Summit, Kees Cook said, he talked mostly about the things that the community could be doing to improve the security of the kernel. In 2016, instead, he was there to talk about what had actually been done. Kernel hardening, he reminded the group, is not about access control or fixing bugs. Instead, it is about the kernel protecting itself, eliminating classes of exploits, and reducing its attack surface. There is still a lot to be done in this area, but the picture is better than it was one year ago.

One area of progress is in the integration of GCC plugins into the build system. The plugins in the kernel now are mostly examples, but there will be more interesting ones coming in the future. Plugins are currently supported for the x86, arm, and arm64 architectures; he would like to see that list grow, but he needs help from the architecture maintainers to validate the changes. Plugins are also not yet used for routine kernel compile testing, since it is hard to get the relevant sites to install the needed dependencies.

Linus asked how much plugins would slow the kernel build process; linux-next maintainer Stephen Rothwell also expressed interest in that question, noting that "some of us do compiles all day." Kees responded that there hadn't been a lot of benchmarking done, but that the cost was "not negligible." It is, though, an important part of protecting the kernel.

Original Submission

 
This discussion has been archived. No new comments can be posted.
The Status of Linux Kernel Hardening | Log In/Create an Account | Top | 40 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by ticho on Saturday November 12 2016, @09:36AM

    by ticho (89) on Saturday November 12 2016, @09:36AM (#425992) Homepage Journal

    Wow, this is one discussion thread where Soylent has completely failed to be useful, and did a full Slashdot, with nothing but primitive flamebait posts. With threads like these, I sometimes feel that five mod points just aren't enough, it's like trying to hold an ocean back with a broom.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: -1, Redundant) by Anonymous Coward on Saturday November 12 2016, @09:42AM

    by Anonymous Coward on Saturday November 12 2016, @09:42AM (#425994)

    Trolls be so proud.

  • (Score: 2) by Phoenix666 on Saturday November 12 2016, @11:53AM

    by Phoenix666 (552) on Saturday November 12 2016, @11:53AM (#426017) Journal

    Yes, and it's especally sad because there aren't that many articles that fall under the OS category that Soylentils can geek out about. This is the first one for linux in about a year i have seen since the systemd furor died down.

    --
    Washington DC delenda est.

    • (Score: 2) by Gaaark on Saturday November 12 2016, @08:22PM

      by Gaaark (41) on Saturday November 12 2016, @08:22PM (#426120) Journal

      I think the problem is it's less an OS category than a privacy vs security category.

      How much do you value your users privacy vs how well do you want to secure your system. Actually, a pretty contentious issue, depending on who you are: user or manager.

      Kind of like citizen vs NSA/FBI etc.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---