HardenedLinux

We are "patient" zero, so we hardened ourselves!

Apr 29, 2017 - 5 minute read - Story

HardenedLinux: The way to the Ark

HardenedLinux: The way to the Ark

PaX/Grsecurity no longer provides the public access to test patch in Apr 26 2017. In the FAQ of the announcement, PaX team and Spender listed a couple of reasons why they do this. As some people already know, it’s not the whole story. As the result of a discussion inside h4rdenedzer0, we believe that Linux foundation is the culprit behind all this result that the commercial/individual/community users losing access to the test patches. And we support this decision PaX team/Spender has made because:

  • Core Infrastructure Initiative has been funded by 19 big corps( $1.9 mil per year) and organized by Linux foundation. KSPP was funded by CII in the begining. KSPP is trying to port PaX/Grsecurity features or implement similar ones (and also port PaX/Grsecurity’s implementation to more archs, e.g: arm64) to vanilla kernel. It was of very good motivation and was a very good starting point. But… till now they’ve hardly accomplished anything compared to what PaX/Grsecurity did, e.g. they ported some mitigations while introducing more (exploitable?) bugs or incomplete implementations. To make it worse, Linux foundation has been doing marketing and PR to convince the public that they are the “Neo”. Those marketing PRs blatantly steal credits from PaX/Grsecurity. AFAIK, not even one KSPP maintainer has stepped out to reveal the truth to the public, and that’s very unfortunate. One of h4rdenedzer0 member tried to talk with CII/LF but being ignored.

  • The ability to create stuff out of nothing( from 0 to 1) is rare. PaX/Grsecurity is the origin of OS defense mitigation and still is the most effective defense solution. If you are a GNU/Linux x86 user, you have benefited from the contribution of PaX/Grsecurity in one way or another since 2001. Your machine has some PaX/Grsecurity features to some extent. From SEGEXEC/PAGEEXEC to NX/DEP, PaX’s ASLR to vanilla/OSX/Windows ASLR, KERNEXEC/UDEREF to SMEP/SMAP( PXN/PAN on armv7/arm64), etc. For many years PaX/Grsecurity has always been leading the industry. More importantly, PaX team/Spender generously shared their work with the FLOSS world in the past 16 years. Security experts have made comments about how powerful PaX/Grsecurity is in the past couple of days( See how ppl reacted on twitter or GNU/Linux distro mailinglist). Sadly, that’s exactly how infosec is like these days: only the minority knows the truth. If most people hold the false assumption that KSPP can be the alternative defense solution, business supporters of PaX/Grsecurity will disappear. And that will be the last thing we want to see.

  • Closing the public access doesn’t make PaX/Grsecurity a non-free/libre software. Those who purchase subscriptions can access the source code. We don’t see GPL violated in any way here. After all, it’s PaX team/Spender’s creation and they can do anything they want. We understand why PaX team/Spender do this. No one feels the pain more than PaX team/Spender do when things like Linux foundation keeping stealing credits from PaX/Grsecurity, and big corps (WinRiver/Intel) making money out of it but never contributing back, etc, happens.

  • PaX/Grsecurity has been supporting the FLOSS community for a very long time While most of us never take security and privacy serious. As a supporter of Free/libre software/firmware/hardware, please ask yourself: Where were you when PaX/Grsecurity needed help? Maybe that will wipe that thought to complain out of your mind. Just as RMS once said, our future depends on our philosophy. We make the world where we live in.

  • If you are a security consultant, we wish you learn the truth and advise your customers about security in real sense instead of the cargo-cult drugs, which has gone too much for this small world.

  • KSPP becomes the burden of PaX/Grsecurity. We basically share the same view with Mathias Krause. We want the practical defense solution instead of wishful thinking in another decade.

  • One more quote from the interview with Spender:“There are many commentators and complainers today, especially when it involves free software, and very few people dedicating half of their life to creating useful original work. When those efforts suddenly get co-opted by companies using misleading marketing and essentially corporate-funded plagiarism, it’s not conducive to the desire to create and publish new work. So we’re refocusing our efforts back to those who respect and value our time.”. The FLOSS world has been losing real hackers like Jonathan Zdziarski, PaX team and Spender. The world is a evil place not because of too many bad people, but because of what we called “good people” who don’t do anything about it.

We’ve been sharing some of our works on security practices ( STIG-4-Debian, Debian GNU/Linux profiles, etc) for servers running in data center. PaX/Grsecurity is the corner stone to most of our solutions. Evidences have revealed that PaX/Grsecurity can defeat multiple public exploits w/o any patch fixes in critical scenarios for a long run. With PaX/Grsecurity, for the 1st time we believe that we can build the defense based on free/libre & open source software/firmware solution to prevent many threats from Ring 3/0/-1/-2/-3. HardenedLinux is going to continue develop solutions of defense based on PaX/Grsecurity. From our point of view, we see no other option. Please remember this date: Apr 26 2017. This is the day we lost our Ark.

Last but not least, we’d sincerely like to thank PaX team, Spender and other contributors of PaX/Grsecurity for the past 16 years. Because of 0ldsk00l hackers like them, this world has become a better place.