[Ksummit-discuss] [TECH TOPIC] Kernel Hardening
Theodore Ts'o
tytso at mit.edu
Mon Aug 24 23:54:09 UTC 2015
On Mon, Aug 24, 2015 at 04:20:47PM -0700, Kees Cook wrote:
>
> Could we assign this as homework instead? There are countless examples
> of well described kernel exploits already visible on the web....
Might I suggest a somewhat higher-level homework? What are the kernel
self-protection features that would be most useful for us to
implement, and --- this is critically important --- why aren't we
doing them already, and how can we fix that higher-order issue?
Is it because adding a particular feature would incur a huge
performance penalty?
Is it because no company has been willing to fund developers to work
on that particular feature to date? (BTW, I consider the fact that
various companies collectively wasn't able to find a place for the
trinity maintainer to find a place to land to be somewhat of a failure
of the ecosystem, but maybe the tool wasn't as useful as we think, or
it maybe we failed to make the case to the correct set of
bean-counters.)
If the answer is that it's obvious what needs to be done, but (a) we
can't find anyone to bell the cat, or (b) the patches are going to be
rejected out of hand for one reason or another, the kernel summit is a
great opportunity to see if some face-to-face discussion address the
problem. OTOH, if the fundamental problem is that we can't get the
headcount funded, then discussion at the kernel summit is probably not
going to be a good use of our time. :-/
- Ted
More information about the Ksummit-discuss
mailing list