grsecurity

grsecurity is a set of patches for the Linux kernel which emphasize security enhancements.^[2] The patches are typically used by computer systems which accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users. Grsecurity provides a collection of security features to the Linux kernel, including address space protection, enhanced auditing and process control. Grsecurity is produced by Open Source Security, Inc., headquartered in Pennsylvania.^[3] Work on grsecurity began in February 2001 as a port of Openwall Project's security-enhancing patches for version 2.4 of the Linux kernel mainline. The first release of grsecurity was for the Linux kernel 2.4.1.

History

From 2001 to September 2015, grsecurity developers offered all stable and test patches as free downloads on the grsecurity website. In late-August 2015, Open Source Security announced that it would only make the stable releases available to paid subscribers, citing that a "multi-billion dollar corporation" involved in embedded Linux had diluted its trademarks by "using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven't been evaluated by us for security impact". ^[4][5] On April 26, 2017, grsecurity developers "hand[ed] over future maintenance of grsecurity test patches to the community" and stopped offering free downloads of patches on the grsecurity website.^[6]

As a derivative work of the Linux kernel, grsecurity's code is licensed under the GNU General Public License version 2. However, grsecurity is only distributed to paid subscribers, and its use requires agreement to a grsecurity Access Agreement which voids access to future versions if the code is redistributed.^[1]

Bruce Perens, co-founder of the Open Source Initiative, argued in 2017 that these terms violate the GPL as it adds additional conditions to redistribution. In August 2017, Perens was sued by Open Source Security Inc. for defamation, claiming that "Under the Subscription Agreement, clients are informed that they have all rights and obligations granted by the GPLv2 for the Patches in their possession", and that it "does not apply further restrictions on a client’s ability to redistribute the Patches in their possession, or restrict their ability to exercise their rights for Patches in their possession, in accordance with the terms and conditions of the GPLv2."^[7]

In June 2017, Linus Torvalds, the original developer of Linux, responded on the Linux kernel mailing list to a question about grsecurity: "The thing is a joke, and they are clowns. When they started talking about people taking advantage of them, I stopped trying to be polite about their bullshit. Their patches are pure garbage."^[7]

Components

PaX

A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses.

Role-based access control

Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.

A list of RBAC features:

Chroot restrictions

grsecurity restricts chroot in a variety of ways to prevent various vulnerabilities and privilege escalation attacks, as well as to add additional checks:

Miscellaneous features

Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.

Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user.

grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.

There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.^[8]

List of additional features and security improvements:

See also

• Application firewall
• Exec Shield
• Intel MPX
• Linux Security Modules
• Security-Enhanced Linux
• Tor-ramdisk

References

External links

Wikibooks has a book on the topic of: Grsecurity

• Edge, Jake (January 7, 2009). "The future for grsecurity". LWN.net.