From spender at grsecurity.net Sat Dec 27 18:21:27 2008 From: spender at grsecurity.net (Brad Spengler) Date: Sat, 27 Dec 2008 18:21:27 -0500 Subject: [grsec] New (final?) grsecurity release and important announcement Message-ID: <20081227232126.GA23052@grsecurity.net> Hi all, grsecurity 2.1.12 has been released for the 2.4.37 and 2.6.27.10 versions of the Linux kernel. Changes since 2.1.11 include numerous bugfixes to both grsecurity and PaX. Support for capabilities introduced in newer 2.6 kernels has been added to the RBAC system. A case where incorrect subject flags were used in policies generated from learning has been corrected. Handling of corner cases in vma mirroring has been improved. A new feature has been added to PaX in the 2.6 patch: PAX_REFCOUNT. This new feature prevents the exploitation of most reference count overflow vulnerabilities in the kernel. The feature exists for both 32 and 64-bit x86 platforms and is enabled in the medium and high security settings of grsecurity. Sanity checking has been added at build time for grsecurity to detect too-common misconfigurations of PaX we've seen mentioned on the forums. A kernel command line parameter, "pax_nouderef" has been added to selectively disable PaX's UDEREF feature at boot time. Requirements/Known Issues: * Binutils 2.18 is required for this release, as older versions are incompatible with PaX. This requirement is enforced at build time. * PaX, even when completely disabled, is incompatible with a VirtualBox/VMWare host (it can still be used on a guest OS). The source of the incompatibility is not yet known. * ATI binary video drivers trigger the UDEREF protection. Whether an exploitable scenario exists within the driver has not been determined. Due to the current economic situation, grsecurity recently lost its primary sponsor. After discussing the situation for some time with the PaX team, I have come to two scenarios for the future of the project. If within the next few months I can find one or more sponsors to get the project back to its previous level of sponsorship, I'll continue development on the project and keep up to date with the latest kernels as I've done in the past. If I am unable to find anyone interested in sponsoring the project, development and availability of the software will end on March 31st. Further public development of PaX will be uncertain. Sponsoring grsecurity has many benefits: * I will personally respond to any support requests (you can call me if you wish) * You are able to make feature requests to improve the usefulness of grsecurity to your organization Some examples of RBAC features written through this offer included hostname support, invertedsocket policies, virtual interface support, and PAM authentication support * Upon request, I will review your RBAC policy and report vulnerabilities or make suggestions * A logo and a link to your organization will be listed on the sponsors page * Helping continue a project with a circle of influence far outside its own userbase To illustrate this last point, we've put together a graph that shows how grsecurity and PaX have influenced security system implementations in nearly every mainstream operating system. Over the past eight years of our existence, we have not only managed to stay relevant to the current state of an ever-evolving industry, but have advanced the state of the art and provided real security based on results and not what was most commercially profitable. The graph is available at: http://grsecurity.net/~spender/grsecurity_pax-influence.png I'd like to thank all sponsors of grsecurity, past and present, for their help in continuing an important project. To discuss possible sponsorship, please contact me at spender at grsecurity.net. -Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://grsecurity.net/pipermail/grsecurity/attachments/20081227/bbc01878/attachment.pgp