Subscribe: codeblog
http://outflux.net/blog/feed/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
kernel  linux kernel  linux previously  linux  previously  seccomp  security things  security  support  things linux  things 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: codeblog

codeblog



code is freedom -- patching my itch



Last Build Date: Thu, 04 Jan 2018 21:43:41 +0000

 



SMEP emulation in PTI

Thu, 04 Jan 2018 21:43:41 +0000

An nice additional benefit of the recent Kernel Page Table Isolation (CONFIG_PAGE_TABLE_ISOLATION) patches (to defend against CVE-2017-5754, the speculative execution “rogue data cache load” or “Meltdown” flaw) is that the userspace page tables visible while running in kernel mode lack the executable bit. As a result, systems without the SMEP CPU feature (before Ivy-Bridge) get […]



security things in Linux v4.14

Wed, 15 Nov 2017 05:23:50 +0000

Previously: v4.13. Linux kernel v4.14 was released this last Sunday, and there’s a bunch of security things I think are interesting: vmapped kernel stack on arm64 Similar to the same feature on x86, Mark Rutland and Ard Biesheuvel implemented CONFIG_VMAP_STACK for arm64, which moves the kernel stack to an isolated and guard-paged vmap area. With […]



security things in Linux v4.13

Tue, 05 Sep 2017 23:01:20 +0000

Previously: v4.12. Here’s a short summary of some of interesting security things in Sunday’s v4.13 release of the Linux kernel: security documentation ReSTification The kernel has been switching to formatting documentation with ReST, and I noticed that none of the Documentation/security/ tree had been converted yet. I took the opportunity to take a few passes […]



GRUB and LUKS

Wed, 30 Aug 2017 17:27:05 +0000

I got myself stuck yesterday with GRUB running from an ext4 /boot/grub, but with /boot inside my LUKS LVM root partition, which meant GRUB couldn’t load the initramfs and kernel. Luckily, it turns out that GRUB does know how to mount LUKS volumes (and LVM volumes), but all the instructions I could find talk about […]



security things in Linux v4.12

Mon, 10 Jul 2017 08:24:23 +0000

Previously: v4.11. Here’s a quick summary of some of the interesting security things in last week’s v4.12 release of the Linux kernel: x86 read-only and fixed-location GDT With kernel memory base randomization, it was stil possible to figure out the per-cpu base address via the “sgdt” instruction, since it would reveal the per-cpu GDT location. […]



security things in Linux v4.11

Tue, 02 May 2017 21:17:25 +0000

Previously: v4.10. Here’s a quick summary of some of the interesting security things in this week’s v4.11 release of the Linux kernel: refcount_t infrastructure Building on the efforts of Elena Reshetova, Hans Liljestrand, and David Windsor to port PaX’s PAX_REFCOUNT protection, Peter Zijlstra implemented a new kernel API for reference counting with the addition of […]



security things in Linux v4.10

Tue, 28 Feb 2017 06:31:42 +0000

Previously: v4.9. Here’s a quick summary of some of the interesting security things in last week’s v4.10 release of the Linux kernel: PAN emulation on arm64 Catalin Marinas introduced ARM64_SW_TTBR0_PAN, which is functionally the arm64 equivalent of arm’s CONFIG_CPU_SW_DOMAIN_PAN. While Privileged eXecute Never (PXN) has been available in ARM hardware for a while now, Privileged […]



security things in Linux v4.9

Mon, 12 Dec 2016 19:05:55 +0000

Previously: v4.8. Here are a bunch of security things I’m excited about in the newly released Linux v4.9: Latent Entropy GCC plugin Building on her earlier work to bring GCC plugin support to the Linux kernel, Emese Revfy ported PaX’s Latent Entropy GCC plugin to upstream. This plugin is significantly more complex than the others […]



CVE-2016-5195

Thu, 20 Oct 2016 23:02:04 +0000

My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as […]



Security bug lifetime

Wed, 19 Oct 2016 04:46:05 +0000

In several of my recent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until […]



security things in Linux v4.8

Wed, 05 Oct 2016 00:26:19 +0000

Previously: v4.7. Here are a bunch of security things I’m excited about in Linux v4.8: SLUB freelist ASLR Thomas Garnier continued his freelist randomization work by adding SLUB support. x86_64 KASLR text base offset physical/virtual decoupling On x86_64, to implement the KASLR text base offset, the physical memory location of the kernel was randomized, which […]



security things in Linux v4.7

Mon, 03 Oct 2016 07:47:39 +0000

Previously: v4.6. Onward to security things I found interesting in Linux v4.7: KASLR text base offset for MIPS Matt Redfearn added text base address KASLR to MIPS, similar to what’s available on x86 and arm64. As done with x86, MIPS attempts to gather entropy from various build-time, run-time, and CPU locations in an effort to […]



security things in Linux v4.6

Sat, 01 Oct 2016 07:45:15 +0000

Previously: v4.5. The v4.6 Linux kernel release included a bunch of stuff, with much more of it under the KSPP umbrella. seccomp support for parisc Helge Deller added seccomp support for parisc, which including plumbing support for PTRACE_GETREGSET to get the self-tests working. x86 32-bit mmap ASLR vs unlimited stack fixed Hector Marco-Gisbert removed a […]



security things in Linux v4.5

Wed, 28 Sep 2016 21:58:00 +0000

Previously: v4.4. Some things I found interesting in the Linux kernel v4.5: CONFIG_IO_STRICT_DEVMEM The CONFIG_STRICT_DEVMEM setting that has existed for a long time already protects system RAM from being accessible through the /dev/mem device node to root in user-space. Dan Williams added CONFIG_IO_STRICT_DEVMEM to extend this so that if a kernel driver has reserved a […]



security things in Linux v4.4

Tue, 27 Sep 2016 22:47:08 +0000

Previously: v4.3. Continuing with interesting security things in the Linux kernel, here’s v4.4. As before, if you think there’s stuff I missed that should get some attention, please let me know. seccomp Checkpoint/Restore-In-Userspace Tycho Andersen added a way to extract and restore seccomp filters from running processes via PTRACE_SECCOMP_GET_FILTER under CONFIG_CHECKPOINT_RESTORE. This is a continuation […]



security things in Linux v4.3

Mon, 26 Sep 2016 22:54:38 +0000

When I gave my State of the Kernel Self-Protection Project presentation at the 2016 Linux Security Summit, I included some slides covering some quick bullet points on things I found of interest in recent Linux kernel releases. Since there wasn’t a lot of time to talk about them all, I figured I’d make some short […]



evolution of seccomp

Wed, 11 Nov 2015 18:01:54 +0000

I’m excited to see other people thinking about userspace-to-kernel attack surface reduction ideas. Theo de Raadt recently published slides describing Pledge. This uses the same ideas that seccomp implements, but with less granularity. While seccomp works at the individual syscall level and in addition to killing processes, it allows for signaling, tracing, and errno spoofing. […]



3D printing Poe

Mon, 27 Jul 2015 23:08:54 +0000

I helped print this statue of Edgar Allan Poe, through “We the Builders“, who coordinate large-scale crowd-sourced 3D print jobs: You can see one of my parts here on top, with “-Kees” on the piece with the funky hair strand: The MakerWare I run on Ubuntu works well. I wish they were correctly signing their […]



barcode consolidation

Wed, 14 Jan 2015 01:33:09 +0000

I had a mess of loyalty cards filling my wallet. It kind of looked like this: They took up too much room, and I used them infrequently. The only thing of value on them are the barcodes they carry that identify my account with whatever organization they’re tied to. Other folks have talked about doing […]



Open EVSE

Wed, 10 Dec 2014 20:53:11 +0000

Needing a new car, and wanting to never purchase another gas-fuelled motor, I bought a Nissan LEAF. (Trivia: LEAF appears to be a backronym for “Leading, Environmentally friendly, Affordable, Family car”.) This vehicle has effectively a 22kWh battery and goes maybe 80 miles on a charge, which is more than enough for running errands. The […]



glibc select weakness fixed

Fri, 13 Jun 2014 19:21:08 +0000

In 2009, I reported this bug to glibc, describing the problem that exists when a program is using select, and has its open file descriptor resource limit raised above 1024 (FD_SETSIZE). If a network daemon starts using the FD_SET/FD_CLR glibc macros on fdset variables for descriptors larger than 1024, glibc will happily write beyond the […]



Linux Security Summit 2014

Wed, 07 May 2014 18:31:13 +0000

The Linux Security Summit is happening in Chicago August 18th and 19th, just before LinuxCon. Send us some presentation and topic proposals, and join the conversation with other like-minded people. :) I’d love to see what people have been working on, and what they’d like to work on. Our general topics will hopefully include: System […]



compiler hardening in Ubuntu and Debian

Mon, 03 Feb 2014 16:42:45 +0000

Back in 2006, the compiler in Ubuntu was patched to enable most build-time security-hardening features (relro, stack protector, fortify source). I wasn’t able to convince Debian to do the same, so Debian went the route of other distributions, adding security hardening flags during package builds only. I remain disappointed in this approach, because it means […]



-fstack-protector-strong

Mon, 27 Jan 2014 22:28:18 +0000

There will be a new option in gcc 4.9 named “-fstack-protector-strong“, which offers an improved version of “-fstack-protector” without going all the way to “-fstack-protector-all“. The stack protector feature itself adds a known canary to the stack during function preamble, and checks it when the function returns. If it changed, there was a stack overflow, […]



DOM scraping

Sat, 21 Dec 2013 07:16:24 +0000

For a long time now I’ve used mechanize (via either Perl or Python) for doing website interaction automation. Stuff like playing web games, checking the weather, or reviewing my balance at the bank. However, as the use of javascript continues to increase, it’s getting harder and harder to screen-scrape without actually processing DOM events. To […]



live patching the kernel

Tue, 10 Dec 2013 23:40:06 +0000

A nice set of recent posts have done a great job detailing the remaining ways that a root user can get at kernel memory. Part of this is driven by the ideas behind UEFI Secure Boot, but they come from the same goal: making sure that the root user cannot directly subvert the running kernel. […]



Thanks UPS

Wed, 27 Nov 2013 04:25:19 +0000

My UPS has decided that every two weeks when it performs a self-test that my 116V mains power isn’t good enough, so it drains the battery and shuts down my home network. Only took a month and a half for me to see on the network graphs that my outages were, to the minute, 2 […]



TPM providing /dev/hwrng

Tue, 13 Aug 2013 17:10:51 +0000

A while ago, I added support for the TPM’s pRNG to the rng-tools package in Ubuntu. Since then, Kent Yoder added TPM support directly into the kernel’s /dev/hwrng device. This means there’s no need to carry the patch in rng-tools any more, since I can use /dev/hwrng directly now: # modprobe tpm-rng # echo tpm-rng […]



Hardy is end of life

Thu, 09 May 2013 20:53:15 +0000

Well, the second Ubuntu Long Term Support release, 8.04 Hardy, has reached end-of-life. (Along with 11.10 Oneiric and the Desktop Support for the 10.04 LTS Lucid.) Flushing my package mirror of Hardy and Oneiric was pretty dramatic, freeing up about 142GB worth of space. Before: $ df -h /var/cache/mirrors/ Filesystem Size Used Avail Use% Mounted […]



facedancer built

Mon, 21 Jan 2013 22:39:09 +0000

I finally had the time to put together the facedancer11 that Travis Goodspeed was so kind to give me. I had ordered all the parts some time ago, but had been dreading the careful surface-mount soldering work it was going to require. As it turned out, I’m not half bad at it — everything seems […]