Kees Cook on Linux 4.19 security features

October 24, 2018 ~ hucktech ~ Leave a comment

Linux kernel v4.19 was released today and some security things I'm excited about are the L1TF fixes, O_CREAT protection in /tmp, syscall register clearing, even more VLA removals, and the new shift overflow helper: https://t.co/DNmBmPHsCR

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) October 22, 2018

https://outflux.net/blog/archives/2018/10/22/security-things-in-linux-v4-19/

Kees Cook: Making C Less Dangerous [for the Linux kernel]

August 30, 2018 ~ hucktech ~ Leave a comment

Here are my slides from "Making C Less Dangerous [for the Linux kernel]" https://t.co/ePvz7B4Xzw

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) August 27, 2018

https://outflux.net/slides/2018/lss/danger.pdf

Kees Cook on Linux kernel 4.17 security features

June 15, 2018June 15, 2018 ~ hucktech ~ Leave a comment

Linux kernel v4.17 was released last week! I'm excited about Jailhouse, ADI, new stack wiping, MAP_FIXED_NOREPLACE, RLIMIT_STACK pinning, and VLA removals: https://t.co/TatTZROJV1

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) June 14, 2018

If you’re not aware, Kees does a good job about blogging on new Linux kernel features. The topic list from current blog post:

Jailhouse hypervisor
Sparc ADI
new kernel stacks cleared on fork
MAP_FIXED_NOREPLACE
pin stack limit during exec
Variable Length Array removals start

https://outflux.net/blog/archives/2018/06/14/security-things-in-linux-v4-17/

Kees Cook on security features in Linux kernel 4.15

February 6, 2018 ~ hucktech ~ Leave a comment

Linux kernel v4.15 is out, and here are the security features (not just PTI!) that I'm excited about: https://t.co/2OeYp2rgB4

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) February 6, 2018

Linux kernel v4.15 was released last week, and there’s a bunch of security things I think are interesting:[…]

https://outflux.net/blog/archives/2018/02/05/security-things-in-linux-v4-15/

Kees on Linux 4.14 security enhancements

November 15, 2017 ~ hucktech ~ Leave a comment

Linux kernel v4.14 has a bunch of security features I'm excited about: https://t.co/iIG5w0t271

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) November 15, 2017

Kees Cook has a new blog post, talking about new security features in Linux kernel 4.14.

vmapped kernel stack on arm64
set_fs() balance checking
SLUB freelist hardening
setuid-exec stack limitation
randstruct automatic struct selection
structleak passed-by-reference variable initialization
improved boot entropy
eBPF JIT for 32-bit ARM
seccomp improvements

https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/

Kees Cook on Linux 4.13 security features

September 10, 2017 ~ hucktech ~ Leave a comment

My notes on interesting security things in Linux kernel v4.13: https://t.co/ALOSvvKbz2

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) September 5, 2017

Kees has a new blog post with a list of interesting new security features in the Linux kernel:

https://outflux.net/blog/archives/2017/09/05/security-things-in-linux-v4-13/

Kees on Linux kernel 4.11 security

May 3, 2017 ~ hucktech ~ Leave a comment

Linux kernel v4.11 was published on Sunday! Here are my notes on interesting security things for this release: https://t.co/VU5MPbzl3l

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) May 2, 2017

Here’s a quick summary of some of the interesting security things in this week’s v4.11 release of the Linux kernel:[…]

https://outflux.net/blog/archives/2017/05/02/security-things-in-linux-v4-11/

Cook on status of Linux’s Kernel Self Protection Project

August 29, 2016 ~ hucktech ~ Leave a comment

My "State of the Kernel Self Protection Project" slides from the Linux Security Summit: https://t.co/SCPSadIYlg

— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) August 25, 2016

A few days ago at the Linux Security Summit (LSS), Kees Cook of the Chromium project gave a presentation about the current status of the Kernel Self-Protection Project. Slides are available, I’m not sure about any A/V archives.

Status of the Kernel Self Protection Project
Linux Security Summit 2016
https://outflux.net/slides/2016/lss/kspp.pdf

Kernel Self Protection Project
http://www.openwall.com/lists/kernel-hardening/
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

Linux Security Summit 2015 proceedings available

August 25, 2015 ~ hucktech ~ Leave a comment

As part of LinuxCon North America, the Linux Security Summit recently finished, and presentations are now available (I omitted the few talks which had no presentations from below list):

* Keynote: Giant Bags of Mostly Water – Securing your IT Infrastructure by Securing your Team, Konstantin Ryabitsev, Linux Foundation
* CC3: An Identity Attested Linux Security Supervisor Architecture, Greg Wettstein, IDfusion
* SELinux in Android Lollipop and Android M, Stephen Smalley, NSA
* Discussion: Rethinking Audit, Paul Moore, Red Hat
* Assembling Secure OS Images, Elena Reshetova, Intel
* Linux and Mobile Device Encryption, Paul Lawrence, Mike Halcrow, Google
* Discussion: Core Infrastructure Initiative, Emily Ratliff, Linux Foundation
* Security Framework for Constraining Application Privileges, Lukasz Wojciechowski, Samsung
* IMA/EVM: Real Applications for Embedded Networking Systems, Petko Manolov, Konsulko Group, Mark Baushke, Juniper Networks
* Ioctl Command Whitelisting in SELinux, Jeffrey Vander Stoep, Google
* IMA/EVM on Android Device, Dmitry Kasatkin, Huawei Technologies
* Subsystem Update: Smack, Casey Schaufler, Intel
* Subsystem Update: AppArmor, John Johansen, Canonical
* Subsystem Update: Integrity, Mimi Zohar, IBM
* Subsystem Update: SELinux, Paul Moore, Red Hat
* Subsystem Update: Capabilities, Serge Hallyn, Canonical
* Subsystem Update: Seccomp, Kees Cook, Google
* Discussion: LSM Stacking Next Steps, Casey Schaufler, Intel

http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule