On Tue, Aug 25, 2015 at 09:15:32AM -0600, Shuah Khan wrote:
> On Mon, Aug 24, 2015 at 10:35 AM, Kees Cook <keescook@chromium.org> wrote:

> > I agree with the sentiment here, but not with the language. Finding
> > flaws (which is what selftests, KASan, Trinity, etc do) isn't
> > hardening. Hardening is stopping the exploitation of flaws. The
> > hardening the kernel needs is about taking away exploitation tools,
> > not killing bugs. (Though killing bugs is still great.)

> I agree with Kees on this. Kselftest or any other test suites can help
> with regression testing and make sure Kernel works the way it should.
> Also these tests can tell us if kernel is hardened or not.

> Hardening means something different to me. i.e making sure kernel
> can protect against attacks and fail gracefully. This is something to
> address during design and development process.

Testsuites can help here if we get into the habit of making sure they
exercise error conditions; they're off to the side a bit but they can
be a useful way of promoting good practice (at least in my experience).