Blog

Toolchain Necromancy: Past Mistakes Haunting ASLR

This blog extends on earlier work from January by Justin Miller involving hugepage-related changes to the memory management interfaces in the Linux kernel and how they affected ASLR. In this blog, the damage from an old change to binutils is brought into focus, with a script provided for developers to check their binary builds for remnants of the issue.

Read More

PaXtest 0.10.0 Release

This short blog announces the release of a new version of PaXtest after a long hiatus, adding analysis of ASLR behavior under various hugepage-related conditions.

Read More

CONSTIFY: Fast Defenses for New Exploits

This short blog covers our recent review of techniques involved in an in-the-wild Android kernel exploit and how we used one of our compiler-based defenses to achieve a quick turnaround for our customers' proactive security.

Read More

Stability in the Wake of Linux XLTS Sunsetting

This blog covers the news of the sunsetting of Linux's 6-year eXtended Long Term Support (XLTS) offering, how this move won't affect grsecurity or its customers, and why businesses can continue to rely on grsecurity's stable offerings for a longer period than future two-year upstream LTS releases.

Read More

Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse

This blog covers a difficult-to-defend subclass of use-after-free vulnerabilities in the Linux kernel, grsecurity's defense for it, and why our defense required compiler plugin involvement. Included PoC exploits demonstrate the power and simplicity of this kind of vulnerability, as well as the effectiveness of grsecurity's defense.

Read More

Tetragone: A Lesson in Security Fundamentals

In this blog post, we take the reader on a journey through a bypass of a new eBPF-based observability and mitigation tool named Tetragon, developed in the two hours after the tool was first set up, as a hopefully instructive lesson on the importance of security fundamentals.

Read More

The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)

In this blog post, OSS Security Researcher Pawel Wieczorkiewicz shares his journey from trying to save one byte of code to the discovery of two new cases of Straight-Line-Speculation (SLS) which affect the Zen1 and Zen2 microarchitectures of AMD CPUs. Using the findings presented in his earlier blog on the AMD branch predictor, he demonstrates a proof-of-concept exploit for eBPF against the current Linux kernel adaptable for defeating KASLR.

Read More

The AMD Branch (Mis)predictor: Just Set it and Forget it!

In this blog post, OSS Security Researcher Pawel Wieczorkiewicz goes on a deep dive following a recent investigation of his into the behavior of AMD's branch predictor and how it relates to Spectre v1 exploitation. He details the discovery that due to this behavior, Spectre v1 gadgets can be exploited much more easily on modern AMD CPUs than was previously understood. He also covers the viability of vendor-recommended mitigations and the nebulous nature of Spectre v1 gadgets themselves.

Read More

Linux Kernel Alternatives

This blog provides a summary of two new IDA Pro plugins developed by OSS' Pawel Wieczorkiewicz and released on our new GitHub organization, with a deeper dive into a plugin that parses and patches in Linux kernel alternatives.

Read More

Watch Your Step(ping): Atoms Breaking Apart

This blog follows the journey of a customer-reported issue that resulted in the discovery of an Intel Atom CPU bug not fixed on a specific stepping. A deep analysis is provided along with a microcode update that fixes the issue.

Read More

How AUTOSLAB Changes the Memory Unsafety Game

In this guest blog, Zhenpeng Lin details the three-month evaluation he performed of AUTOSLAB during a research internship with Open Source Security, Inc. AUTOSLAB is a compiler-plugin-enhanced feature of grsecurity introduced in 2020 that provides some interesting security and debug properties. The evaluation covers the completeness of AUTOSLAB's approach, how exploitation is changed, and how it affects performance.

Read More

The Complicated History of a Simple Linux Kernel API

In this blog, we take a deep technical dive into two decades of history of the common and well-known copy_*_user API, covering how it evolved and devolved over time. Via this, we illustrate the difficulty of making security claims about APIs in fast-changing codebases based on how the latest version performs.

Read More

Huawei HKSP Introduces Trivially Exploitable Vulnerability

Huawei has seemingly stepped its foot into the kernel self-protection game with the release of HKSP. Absent any threat model and riddled weaknesses, it also introduces a trivially exploitable local root vulnerability due to a complete lack of defensive programming.

Read More

Faster Multi-core Linux Kernel Build Testing

This blog features the latest information on faster multi-core Linux kernel compilation and linking for automated testing purposes.

Read More

Resolving an Unfortunate STACKLEAK Interaction

During a performance evaluation, an unfortunate interaction of the STACKLEAK plugin with the RAP plugin was noticed that lead to unnecessary bloat. This blog post highlights the steps that have been taken to resolve the source of the problem.

Read More

The Life of a Bad Security Fix

In this blog we follow the journey of another bad security fix that passed repeated apparent review and was backported to several LTS kernels.

Read More

The Reports of CVE's Death Have Been Greatly Exaggerated

A prominent Linux kernel developer wants to replace CVE's use on the kernel by rebranding another kind of identifier that has been around for years. We look into why that's unlikely to happen any time soon.

Read More

Teardown of a Failed Linux LTS Spectre Fix

An in-depth analysis of the journey of a Spectre fix into the upstream LTS kernels that left its users with nothing more than a false sense of security.

Read More

Huawei and Security Analysis

A deeper look into rudimentary binary analysis performed in a recent report, and why better methods should be used for actionable information.

Read More

grsecurity 4.12 Updates

Updates on some of our work included in our 4.12 patch, including a review of Linux 4.13 and comments on some of its security changes.

Read More

grsecurity 4.11 Updates

Updates on our work since our announcement present in the 4.11 patch just released, including a review of Linux 4.12 and the decade-old security fixes from grsecurity it included.

Read More

An Ancient Kernel Hole is (Not) Closed

The "stack clash" series of vulnerabilities were a prime opportunity to demonstrate the strength of grsecurity's approach to security. Unlike upstream Linux and other OSes, the issues uncovered were unexploitable under grsecurity for many years.

Read More

The Infoleak that (Mostly) Wasn't

A 14 year old information leak appears important at first, but an analysis uncovers limited impact.

Read More

Close, but No Cigar: On the Effectiveness of Intel's CET Against Code Reuse Attacks

Intel's recent announcement of their hardware support for a form of Control Flow Integrity (CFI) has raised a lot of interest among the expert as well as the popular press. As an interested party we've decided to look at some of the details and analyze the strengths and weaknesses of Intel's Control-flow Enforcement Technology (CET).

Read More

KASLR: An Exercise in Cargo Cult Security

This post provides an in-depth analysis of the flawed KASLR mitigation, through a history lesson of the origins of ASLR, security fundamentals, and threat modeling.

Read More

The Truth about Linux 4.6

This post is a teardown of a factually incorrect presentation by Linux kernel maintainer, Greg KH. It cuts through the hype and discusses the minimal security improvements to Linux 4.6 by the KSPP.

Read More

False Boundaries and Arbitrary Code Execution

This often-cited post provides a detailed reference to the Linux capability system, subjecting it to critical analysis through the lens of ambient authority, with the revelation that most capabilities are equivalent to full root access if an attacker has arbitrary ability to exercise the capability. It finishes with a discussion on how this plays into PaX's design and grsecurity's RBAC system.

Read More

Recent ARM Security Improvements

This post contains a detailed blueprint for the novel design and implementation of PaX KERNEXEC and UDEREF on ARM, preventing ambient direct userland access from the kernel as well as preventing arbitrary code execution in the kernel.

Read More

Assorted Notes on Defense and Exploitation

This post presents a defense of so-called "ad-hoc" memory corruption defenses, comparing their practicality and effectiveness to calls to rewrite all software in safe languages, as proposed by a cited presentation. It also drives home the message of seeking details instead of believing security buzzwords like "sandbox".

Read More

For more blog entries, please see our old blog forum.