Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Linux 4.6 and memory protections
Kernel-level security enhancements...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Linux is not that secure…
• today’s KASLR implementation is trivial...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
So what?
• read security bulletins of software you use
• install la...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Security enhancements in Linux 4.6
• EFI firmware context isolated f...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
About kernel memory protections
• most from GrSecurity and PaX
• de...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Future
• Linux 4.7+
• LoadPin LSM for trusted loading of kernel mod...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Sources
https://forums.grsecurity.net/viewtopic.php?f=7&t=4476
http...
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!
Nächste SlideShare
Wird geladen in …5
×

Linux 4.6 and memory protections

Linux 4.6 is here and focuses on security enhancing runtime memory memory management. This is quick overview on memory protections that now comes standard in the kernel mainline and expected upcoming improvements.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

  • Gehören Sie zu den Ersten, denen das gefällt!

Linux 4.6 and memory protections

  1. 1. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Linux 4.6 and memory protections Kernel-level security enhancements at runtime
  2. 2. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Linux is not that secure… • today’s KASLR implementation is trivial • backporting of patches is necessary • people are scared of kernel updates… • …servers are running old kernels • it’s worst on mobile (Android?) • remember: not updated = dead product / service • so? we MUST design systems that update their kernels!
  3. 3. Hardening Two June 13, 2016 Francesco Pira (fpira.com) So what? • read security bulletins of software you use • install latest updates • update your kernel, no fears! • Linux 4.6 has some nice features • you should have a look…
  4. 4. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Security enhancements in Linux 4.6 • EFI firmware context isolated from kernel • kernel memory protections • some features being cherry picked from grsecurity • live kernel patches (since Linux 4.0) • now shifting to live kernel updates
  5. 5. Hardening Two June 13, 2016 Francesco Pira (fpira.com) About kernel memory protections • most from GrSecurity and PaX • default on ARMv7 and ARMv8, mandatory on x86 • RANDSTRUCT plugin • write protection to all data structures (kernel only) • __ro_after_init markings for write-once data • __read_only from grsec and PaX
  6. 6. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Future • Linux 4.7+ • LoadPin LSM for trusted loading of kernel modules • KASLR on MIPS • improved text base address randomization on x86 • Core Infrastructure Initiative (https://www.coreinfrastructure.org/)
  7. 7. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Sources https://forums.grsecurity.net/viewtopic.php?f=7&t=4476 https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features https://forums.freebsd.org/threads/56298/ http://www.wilderssecurity.com/threads/linux-kernel-4-6-new-self-protection-features.385840/ https://plus.google.com/u/0/+KeesCook/posts/adtf8msMKNL https://www.youtube.com/watch?v=GGBlBIFAKmA https://news.ycombinator.com/item?id=11698381 http://www.theregister.co.uk/2016/04/27/linux_security_bug_report_row/ http://www.linuxjournal.com/content/no-reboot-kernel-patching-and-why-you-should-care https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.7-LoadPin-Restriction http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/? id=31b0b385f69d8d5491a4bca288e25e63f1d945d0
  8. 8. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Questions? Thank you!

×