snowy mountains

Linux Kernel Attacks Defeat Data Center Security Strategies

Protect your Linux-based servers from attacks that target the Linux kernel for escalated privilege. Without putting comprehensive protection in place, your entire data center security strategy is exposed.

snowy mountains

The Keys to the Kingdom

Not securing your Linux kernel adequately is like giving attackers that have infiltrated your web apps or networks the keys to the kingdom. Compromising the Linux kernel makes it almost impossible to find these attackers on your network, despite EDR tool and other security investments.

snowy mountains

End-to-End Linux Kernel Protection

Other alternatives purport to offer protection against Linux kernel attacks, but only grsecurity fully specializes in preventing zero-day attacks and sophisticated memory corruption exploits on widely-used Linux kernel versions. No other vendor offers as much to fully secure your data center server foundation.

What is
grsecurity?
Beyond
access control
Hardens Container
Isolation
Defends against
zero-day
Integrates with
your distribution
Has a proven
track record

What is grsecurity?

Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration.

It has been actively developed and maintained for the past 18 years. Commercial support for grsecurity is available through Open Source Security, Inc.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19

Hardens Container Isolation

In any kind of shared computing environment, whether it be simple UID separation, OpenVZ, LXC, or Linux-VServer, the most common and often easiest method of full system compromise is through kernel exploitation. No other software exists to mitigate this weakness while maintaining usability and performance.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19

Defends against zero-day

Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19

Integrates with your distribution

Grsecurity confines its changes to the Linux kernel itself, making it possible to use with any distribution or device: embedded, server, or desktop. Use your existing distribution's kernel configuration if you wish and answer a simple series of questions about your use case to optimally configure grsecurity automatically. X86, ARM, or MIPS -- grsecurity has been developed for and used on them all and many more.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19

Has a proven track record

Grsecurity has been developed and maintained since 2001, from the very first 2.4 Linux kernel to the latest and greatest 5.x. In addition to tracking the latest stable kernel, we provide stable releases for both the 4.4 and 4.14 kernels with additional security backports.

We stay on top of -- and in many cases drive -- the state of the art in security research. While the security teams of Linux distributions react to the latest widespread exploit simply by fixing the associated vulnerability, we quickly work in addition to close down any new exploit vectors, reduce the chance of similar vulnerabilities, and insert additional roadblocks for ancillary techniques that made the exploit possible or reliable.

As a result of this extensive approach, it is not uncommon to find in the event of a published exploit, particularly against the kernel, that the exploit's success is prevented by several separate features of grsecurity.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19

Beyond Access Control

Unlike the LSMs you're used to, grsecurity tackles a wider scope of security problems. While access control has its place, it is incapable of dealing with many real-life security issues, especially in webhosting environments where an attacker can fraudulently purchase local access to the system. To see what you're missing out on by relying on just access control, see our feature comparison matrix.

A major component of grsecurity is its approach to memory corruption vulnerabilities and their associated exploit vectors. Through partnership with the PaX project, creators of ASLR and many other exploit prevention techniques -- some now imitated by Microsoft and Apple, grsecurity makes many attacks technically and economically infeasible by introducing unpredictability and complexity to attempted attacks, while actively responding in ways that deny the attacker another chance.

Get an offer 4.4.201 Last updated: 11/12/19 4.14.154 Last updated: 11/12/19
The Charles Stark Draper Laboratory
Zero Day Initiative
Crowdstrike
OVH
DreamHost
Locaweb
TEHTRI Security
Exonet
NBS System

Testimonials

Draper strongly recommends grsecurity to all of our Department of Defense (DoD) customers so they have the latest and state-of-the-art in vulnerability prevention and exploit defense.

Few, if any, people can lay claim to a bigger impact on modern exploit mitigation than the PaX and grsecurity teams. Their work has shaped how security works today, and they continue to remain at the forefront. Grsecurity is built and trusted by experts.

When building systems that hold sensitive customer data, no other platform is as trusted by professional security engineers, like those at Immunity, than grsecurity. We have 15 years of experience breaking systems, and grsecurity has 15 years of experience protecting them from people like us.

A lot of work has been done in the past 17 years on exploit mitigations - some practical, and some effective. Very few mechanisms were both practical and effective. The grsecurity and PaX team have been behind almost all of them.

The people behind grsecurity/PaX are pioneers in computer security. Your Linux servers are in good hands with them.

During the Bugtraq "golden era" I witnessed first-hand the direct effect of the pioneering research by the grsecurity and PaX team on real world vulnerability exploit feasibility. What was once possible with a simple stack overflow now requires a complex multiple-vulnerability bug chain.

You can thank Grsecurity/PaX for many of the memory safety mitigations the world relies on today. These projects redefined software security.

PaX and grsecurity are world class innovators in software security. They have played a pivotal role in creating multiple exploit mitigation technologies that are now considered industry standard.

grsecurity and PaX have driven the state of the art in effective and realistic exploit mitigations for the past 17+ years. They've defined what are now considered industry standards and are still ahead of what's coming in the future elsewhere.

Curtis Walker
Draper, Chief Scientist
Tavis Ormandy
Dave Aitel
Immunity, Inc., CEO
Halvar Flake
Bruce Dang
David Mirza Ahmad
Subgraph, President
Chris Rohlf
Matt Miller
Rodrigo Branco
Intel Corporation, Chief Security Researcher

Latest News

Trending Trending

New Blog Post: The Reports of CVE's Death Have Been Greatly Exaggerated

Read more
By Brad Spengler
News

New Blog Post: Teardown of a Failed Linux LTS Spectre Fix

An in-depth analysis of the journey of a Spectre fix into the upstream LTS kernels that left its users with nothing more than a false sense of security.

Read more
By Brad Spengler
News

5.4 Chosen as Next Stable Tree

Grsecurity has selected Linux 5.4 for its next stable tree, to be supported through at least the end of 2022. Our 4.14 tree will continue to be supported through the end of 2021.

Read more
By Brad Spengler
News

New Blog Post: Huawei and Security Analysis

A deeper look into rudimentary binary analysis performed in a recent report, and why better methods should be used for actionable information.

Read more
By Brad Spengler
News

Announcing Respectre®: The State of the Art in Spectre Defenses

Open Source Security Inc. is proud to announce the release of the world's most advanced, effective, and high-performance defense against Spectre speculation attacks. Today's release is the result of its months of investment in prototyping different Spectre defense strategies, finally resulting in Respectre®

Read more
By Brad Spengler & PaX Team
News

Passing the Baton

Today we announce a refocusing of our efforts on next-generation security technologies and tackling the remaining class of data-only attacks.

Read more
By Brad Spengler & PaX Team
News

RAP Demonstrates World-First Fully CFI-Hardened OS Kernel

Today's release of grsecurity® for Linux kernel version 4.9 makes good on our promise of publishing the implementation of the deterministic type-based return check portion of the Reuse Attack Protector (RAP) initially described at H2HC in October 2015.

Read more
By Brad Spengler & PaX Team
News

RAP is here. Public demo in 4.5 test patch and commercially available today!

Today's release of grsecurity® for the Linux 4.5 kernel marks an important milestone in the project's history. It is the first kernel to contain RAP, a patented defense mechanism against code reuse attacks. RAP is the result of our multi-years research and development in Control Flow Integrity (CFI) technologies by PaX. It ground-breakingly scales to C and C++ code bases of arbitrary sizes and provides best-effort protection against code reuse attacks with minimal performance impact.

Read more
By Brad Spengler & PaX Team