GRSecurity stable patches to be unavailable to general public

Discussion in 'all things UNIX' started by BoerenkoolMetWorst, Aug 27, 2015.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    https://grsecurity.net/announce.php
    :(
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Almost NOTHING makes me mad, but this made me furious, specially considering US's legal system. If there was an actual violation than the US government could help grsecurity with the money to fight this "multi-bilionaire" company, because they will surely WIN and that means money for everybody, and more importantly = justice towards grsecurity. But since the US government is ran by corporations, I'm sure this company would buy the government so that they didn't help grsecurity.
    I swear, if I was a billionaire I'd help grsec.

    I guess change this won't affect most people.
    Arch's default linux-grsec kernel is, well, the latest (even more up-to-date than Arch's regular Kernel).
    Debian is always pulling things from Sid to Testing, and before freezing Testing will have at least a 10-day-old GRSec Kernel, which isn't too bad. Debian also has the backport system and I think it's very possible to backport the latest grsec-testing to Debian Stable, or at least the patches themselves.
     
  3. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Does Debian use GrSec by default?

    You would think they could get funding from the DOD or NSA.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    No, but there are such kernels available.
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    Nope.

    I don't know :p Could they?
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    FWIW, there is currently a discussion among kernel developers about Kernel Hardening with the aim to add protections from grsecurity to the official kernel. Several prominent developers like Kees Cook, Thomas Gleixner, Andy Lutomirski etc. are participating. Let's hope that this discussion will lead to a favorable conclusion.
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    I'll keep my fingers crossed for that. Torvalds has for years now repeatedly blocked any efforts to move grsec/pax to the official kernel. Torvalds said they wanted add a "giant blob of code" to the kernel.
     
  9. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Well both the NSA and DoD need to be as secure as is possible from attacks and funding grsec/pax would be a drop in the bucket for them. Everything I have read points to systems using grsec as being the safest Linux systems.

    It would be a great loss for these not to be continued and eventually brought into the kernel.
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    I don't think that is going to happen. Here's why:
    • The LTS branch of Grsecurity won't be available to the general public;
    • Anyone could sponsor Grsecurity and get the LTS branch available;
    • Helping GRSecurity with this lawsuit would benefit mostly the users, not to mention it would be so much more expensive than just being a sponsor.
    So if the NSA/DoD are really interested in the LTS branch of GRSec they could just pay low ammounts of money and become a sponsor instead of spending millions helping GRSecurity fight Intel and that other company.
     
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    One of the posts in the kernel hardening thread has a link to 'Google Project Zero' blog and I was surprised to read that Android apparently runs SELinux.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    AMD?
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    I don't know, but probably not. There's a thread here somewhere showing a twitter that says "Intel and" a company that I don't remember.
     
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Yes Android runs SELinux since Android 5.x if I remember correctly.

    Thse days its possible to have it either enabled, disabled or in some kind of hybrid mode.
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Wind River Linux which is owned by Intel apparently. A commercial product. Their marketing blurbs mention using grsec to harden their kernel. The other offender appears to be Verifone

    http://www.windriver.com/products/product-overviews/PO_LINUX_SECURITY_PROFILE.pdf

    Here they try to get support in the grsec forum

    https://forums.grsecurity.net/viewtopic.php?f=3&t=3938&p=13940#p13940

    https://forums.grsecurity.net/viewtopic.php?f=3&t=3713

    Brad's answer to Verifone seeking support is pretty funny.

    Hi,

    Sorry, we don't provide free support to a multi-billion dollar company that sells devices using grsecurity while violating the license of its GPL license and that of all other GPL code on the devices. Your MX900 and Petro series of products don't ship with the associated source code, nor is any written offer provided for the source code. Purchasers of these products have no idea at all that they use GPL-licensed software or that they have a right to its modified source code. It's fitting that a company profiting off the exploitation of open-source developers that license under the GPL (and not BSD) for a reason would come here for free support. Fitting, but incredibly rude.

    -Brad
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Google uses grsec in ChromeOS. They could buy the product and hire the developers. With Google as the mothership its less likely there would be people ripping it off. This would be something that would be admired by the community.
     
  17. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Found a good paper on SELinux in Android here:

    http://kernsec.org/files/lss2015/lss2015_selinuxinandroidlollipopandm_smalley.pdf
     
    Last edited by a moderator: Aug 31, 2015
  19. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Good paper on the state of kernel security

    http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
     
    Last edited by a moderator: Aug 31, 2015
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    That is an awesome presentation. Thanks!
     
  21. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    @amarildojr one more reason for me why anti malware products are needed on linux ;)
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,985
    Location:
    Brasil
    No we don't! There is absolutely no need for such product! We've been over this already!

    I get it, you're somehow afraid and think that we need such products on Linux, but we don't. If you want to install Sophos or whatever "antimalware" on Linux than that is up to you. If you don't know jack about Linux security (like you said it yourself) than don't even bother trying to explain to more experienced users why you think "a fish needs a bycicle" or whatever illogical thoughts you have, and don't pretend that we have not given you enough explanation on why bringing the Windows mindset to Linux is a waste of time.

    Saying again that we need "anti-this and anti-that" on Linux is an insult considering we gave you reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason after reason on why that is not needed!

    You know what I learned after that thread of yours? That you don't care about reason or logic. All you do is make ridiculous claims by which you can never back up (I never saw you proving any one of them); and no matter how much other people say you're wrong, you will still hold tight to something you should know isn't true.

    So go ahead, install Sophos on Arch and have a peace of mind, for god's sake. At least this way you won't bother people with this kind of stuff anymore (I hope).
     
    Last edited: Sep 1, 2015
  23. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Antimalware is not the be-all and end-all of software security, and IMO it's really a shame that the software industry has duped intelligent people into thinking that.

    Antimalware itself is, more or less, a band-aid. It's a very specific defense against a very specific set of problems. For good and actually comprehensive security, you at least need

    - A trustworthy and robust kernel
    - With a credible implementation of mandatory access control
    - Running on top of trustworthy hardware

    Windows on x86 might provide one of those (access control). Linux provides zero (because access control is not doable on X11 workstations).

    The only systems I know of that can provide all of those, BTW, are industrial mainframes or supercomputers.
     
  24. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Not in the traditional form of an anti-virus/anti-malware program though.

    Proactive anti-exploit in the form of kernel hardening, iptables, and installing only signed programs.
     
  25. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Read my thread again, read the .pdf I quoted again and you get reasons and reasons and reasons why anri-malware is needed. Because linux is exploitable, just as windows, just as easy as windows and trojans, password stealers, bot nets,... All exist for linux too.

    @AutoCascade I agree, especially with the kernel hardening. But as seen above, the kernel isnt hardened enough and exploitable. And there will always be 0 day exploits. Anti malware won't fix the exploit (maybe anti-exploit products will but that is more the kind of kernel hardening) but it might block and delete the malware files that come through the exploit.

    Tue that. I never said anti.malware is the "all we need". But its another line of defense. And since many/most if not all other lines of defense are broken (or can be broken) another defense (especially when it is some very different one with the same goal, defending the system from getting infected) would make sense.
     
Loading...