grsecurity® for ICS

The industry-leading defenses of grsecurity® are now available for ARM ICS systems in a custom-developed, split-out, heavily-commented, cohesive set of protections patches to the Linux 4.1 kernel. Features unnecessary for the special-purpose operations of an ICS system have been removed, while several features improving the security of both the Linux kernel and the applications running on it have been retained. Specifically, split-out and heavily-commented versions of PAX_KERNEXEC, PAX_UDEREF, PAX_USERCOPY, PAX_CONSTIFY, PAX_PAGEEXEC, PAX_ASLR, and PAX_MPROTECT are being offered.

PAX_ASLR has been specially hardened for this release to resist information leaks against discovering ASLR's randomized layout. The combination of features (with sufficiently-architected userland applications) guarantee the removal of writable and executable userland and kernel memory and prevent the introduction of new code in userland. Through these patches, much more of the kernel's data is made ambiently read-only and thus is hardened against accidental or intentional corruption. Special consideration in the featureset was made for reliability. For this reason, the REFCOUNT and SIZE_OVERFLOW features were not included, as they can sometimes result in false positives that only appear after long lengths of time or in circumstances difficult to reproduce in non-production environments. The detailed comments and documentation about the features and implementation allow these defenses to be more rapidly retargeted against another desired Linux kernel version.

For inquiries about obtaining the patches, please email