[Ksummit-discuss] [TECH TOPIC] Kernel Hardening

Thomas Gleixner tglx at linutronix.de
Mon Aug 24 18:52:36 UTC 2015


On Mon, 24 Aug 2015, Kees Cook wrote:
> On Mon, Aug 24, 2015 at 4:56 AM, James Morris <jmorris at namei.org> wrote:
> This is far from a comprehensive list, though. The biggest value, I
> think, would be in using KERNEXEC, UDEREF, USERCOPY, and the plugins
> for constification and integer overflow.

There is another aspect. We need to make developers more aware of the
potential attack issues. I learned my lesson with the futex disaster
and since then I certainly look with a different set of eyes at user
space facing code. I doubt that we want that everyone experiences the
disaster himself (though that's a very enlightening experience), but
we should try to document incidents and the lessons learned from
them. Right now we just rely on those who are deep into the security
realm or the few people who learned it the hard way.

Thanks,

	tglx


More information about the Ksummit-discuss mailing list