Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux 4.6 and memory protections

262 views

Published on

Linux 4.6 is here and focuses on security enhancing runtime memory memory management. This is quick overview on memory protections that now comes standard in the kernel mainline and expected upcoming improvements.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Linux 4.6 and memory protections

  1. 1. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Linux 4.6 and memory protections Kernel-level security enhancements at runtime
  2. 2. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Linux is not that secure… • today’s KASLR implementation is trivial • backporting of patches is necessary • people are scared of kernel updates… • …servers are running old kernels • it’s worst on mobile (Android?) • remember: not updated = dead product / service • so? we MUST design systems that update their kernels!
  3. 3. Hardening Two June 13, 2016 Francesco Pira (fpira.com) So what? • read security bulletins of software you use • install latest updates • update your kernel, no fears! • Linux 4.6 has some nice features • you should have a look…
  4. 4. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Security enhancements in Linux 4.6 • EFI firmware context isolated from kernel • kernel memory protections • some features being cherry picked from grsecurity • live kernel patches (since Linux 4.0) • now shifting to live kernel updates
  5. 5. Hardening Two June 13, 2016 Francesco Pira (fpira.com) About kernel memory protections • most from GrSecurity and PaX • default on ARMv7 and ARMv8, mandatory on x86 • RANDSTRUCT plugin • write protection to all data structures (kernel only) • __ro_after_init markings for write-once data • __read_only from grsec and PaX
  6. 6. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Future • Linux 4.7+ • LoadPin LSM for trusted loading of kernel modules • KASLR on MIPS • improved text base address randomization on x86 • Core Infrastructure Initiative (https://www.coreinfrastructure.org/)
  7. 7. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Sources https://forums.grsecurity.net/viewtopic.php?f=7&t=4476 https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features https://forums.freebsd.org/threads/56298/ http://www.wilderssecurity.com/threads/linux-kernel-4-6-new-self-protection-features.385840/ https://plus.google.com/u/0/+KeesCook/posts/adtf8msMKNL https://www.youtube.com/watch?v=GGBlBIFAKmA https://news.ycombinator.com/item?id=11698381 http://www.theregister.co.uk/2016/04/27/linux_security_bug_report_row/ http://www.linuxjournal.com/content/no-reboot-kernel-patching-and-why-you-should-care https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.7-LoadPin-Restriction http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/? id=31b0b385f69d8d5491a4bca288e25e63f1d945d0
  8. 8. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!

×