[grsec] New (final?) grsecurity release and important announcement
Brad Spengler
spender at grsecurity.net
Sat Dec 27 18:21:27 EST 2008
Hi all,
grsecurity 2.1.12 has been released for the 2.4.37 and 2.6.27.10
versions of the Linux kernel. Changes since 2.1.11 include numerous
bugfixes to both grsecurity and PaX. Support for capabilities introduced
in newer 2.6 kernels has been added to the RBAC system. A case where
incorrect subject flags were used in policies generated from learning
has been corrected. Handling of corner cases in vma mirroring has been
improved. A new feature has been added to PaX in the 2.6 patch:
PAX_REFCOUNT. This new feature prevents the exploitation of most
reference count overflow vulnerabilities in the kernel. The feature
exists for both 32 and 64-bit x86 platforms and is enabled in the medium
and high security settings of grsecurity. Sanity checking has been added
at build time for grsecurity to detect too-common misconfigurations of
PaX we've seen mentioned on the forums. A kernel command line parameter,
"pax_nouderef" has been added to selectively disable PaX's UDEREF
feature at boot time.
Requirements/Known Issues:
* Binutils 2.18 is required for this release, as older versions are
incompatible with PaX. This requirement is enforced at build time.
* PaX, even when completely disabled, is incompatible with a
VirtualBox/VMWare host (it can still be used on a guest OS). The
source of the incompatibility is not yet known.
* ATI binary video drivers trigger the UDEREF protection. Whether an
exploitable scenario exists within the driver has not been
determined.
Due to the current economic situation, grsecurity recently lost its
primary sponsor. After discussing the situation for some time with the
PaX team, I have come to two scenarios for the future of the project. If
within the next few months I can find one or more sponsors to get the
project back to its previous level of sponsorship, I'll continue
development on the project and keep up to date with the latest kernels
as I've done in the past. If I am unable to find anyone interested in
sponsoring the project, development and availability of the software
will end on March 31st. Further public development of PaX will be
uncertain.
Sponsoring grsecurity has many benefits:
* I will personally respond to any support requests (you can call me
if you wish)
* You are able to make feature requests to improve the usefulness of
grsecurity to your organization
Some examples of RBAC features written through this offer included
hostname support, invertedsocket policies, virtual interface
support, and PAM authentication support
* Upon request, I will review your RBAC policy and report
vulnerabilities or make suggestions
* A logo and a link to your organization will be listed on the
sponsors page
* Helping continue a project with a circle of influence far outside
its own userbase
To illustrate this last point, we've put together a graph that shows how
grsecurity and PaX have influenced security system implementations in
nearly every mainstream operating system. Over the past eight years of
our existence, we have not only managed to stay relevant to the current
state of an ever-evolving industry, but have advanced the state of the
art and provided real security based on results and not what was most
commercially profitable. The graph is available at:
http://grsecurity.net/~spender/grsecurity_pax-influence.png
I'd like to thank all sponsors of grsecurity, past and present, for
their help in continuing an important project.
To discuss possible sponsorship, please contact me at
spender at grsecurity.net.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20081227/bbc01878/attachment.pgp
More information about the grsecurity
mailing list