Hardened kernels for everyone

PEREZ_Yves-AlexisIMAG0051Grsecurity is a Linux kernel hardening patch. The PaX patchset it includes pioneered some security features like ASLR which where later included in basically every operating system. But the patch itself is still standalone (not included mainline), so most Linux users don’t benefit its security features.

A lot of people only use binary distribution kernels, and this talk will present some challenges found when trying to provide a distribution kernel with Grsecurity included.

I’ll first quickly present the grsecurity patch, then the attempt to include it in the Debian distribution kernel as a featureset. Finally there will be some pointers on how to provide hardened kernels easily for as many people as possible.

Yves-Alexis Perez, ANSSI