[Ksummit-discuss] [TECH TOPIC] Kernel Hardening
James Morris
jmorris at namei.org
Mon Aug 24 20:17:30 UTC 2015
On Mon, 24 Aug 2015, James Bottomley wrote:
> Um, forgive me for being dense, but doesn't fixing the flaws stop their
> exploitation? In any event, Hardening means "reducing the attack
> surface" and that encompasses both active and passive means (including
> actual bug fixing).
Hardening is mitigating those flaws. You'll never find every flaw, but
you can mitigate against entire classes of flaws being exploited.
> > The
> > hardening the kernel needs is about taking away exploitation tools,
> > not killing bugs. (Though killing bugs is still great.)
>
> It's both. One of the old standards for attacking C code was buffer
> overruns. Remove those via detection tools and you reduce the attack
> surface.
In this case, we're specifically talking about hardening the kernel to
mitigate exploitation of flaws. Kernel self-protection may be a better
term (and recently surfaced in an NSA presentation at LSS: p.23 of
http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf
--
James Morris
<jmorris at namei.org>
More information about the Ksummit-discuss
mailing list