Hello Kernel Hardening

Hello Kernel Hardening

[Rick Mark]

Per the instructions in the get involved I'm here saying hello.

My name is Rick Mark, currently a security engineer at Dropbox in SF.

I've been toying around with various things I've found in the wild
over the years and recently put together this CC Attribution paper
'Security Critical Kernel Object Confidentiality and Integrity'
(https://dbx.link/sckoci).

I've been playing with a reference implementation and filling out
the paper as I go, so I'm here to add a new area of defense to the
Linux kernel.  If you find the work interesting, I'm happy to have
people sherpa me though the kernel contribution process, help with
implementing the reference or production version or even just
co-authors to help with the paper.

Best
R

Re: Hello Kernel Hardening

[Greg KH]

On Wed, Jul 31, 2019 at 06:52:04AM +0000, Rick Mark wrote:
> Per the instructions in the get involved I'm here saying hello.
> 
> My name is Rick Mark, currently a security engineer at Dropbox in SF.
> 
> I've been toying around with various things I've found in the wild
> over the years and recently put together this CC Attribution paper
> 'Security Critical Kernel Object Confidentiality and Integrity'
> (https://dbx.link/sckoci).

Link needs permissions to view it :(

thanks,

greg k-h

Re: Hello Kernel Hardening

[Kees Cook]

On Wed, Jul 31, 2019 at 11:18:18AM +0200, Greg KH wrote:
> On Wed, Jul 31, 2019 at 06:52:04AM +0000, Rick Mark wrote:
> > Per the instructions in the get involved I'm here saying hello.
> > 
> > My name is Rick Mark, currently a security engineer at Dropbox in SF.

Hi Rick! Thanks for joining in the fun. :)

> > I've been toying around with various things I've found in the wild
> > over the years and recently put together this CC Attribution paper
> > 'Security Critical Kernel Object Confidentiality and Integrity'
> > (https://dbx.link/sckoci).
> 
> Link needs permissions to view it :(

Heh, same for me. Let us know when we can view it...

-- 
Kees Cook

Re: Hello Kernel Hardening

[Rick Mark]

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

Sorry, didn’t realize the Dropbox link shortener required login.  Full link:


https://paper.dropbox.com/doc/Security-Critical-Kernel-Object-Confidentiality-and-Integrity-akFs9yNQ8YxLKP3BEaHZ8


Sent from my iPad

On Jul 31, 2019, at 2:18 AM, Greg KH <gregkh@linuxfoundation.org> wrote:

On Wed, Jul 31, 2019 at 06:52:04AM +0000, Rick Mark wrote:
Per the instructions in the get involved I'm here saying hello.

My name is Rick Mark, currently a security engineer at Dropbox in SF.

I've been toying around with various things I've found in the wild
over the years and recently put together this CC Attribution paper
'Security Critical Kernel Object Confidentiality and Integrity'
(https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbx.link%2Fsckoci&amp;data=02%7C01%7C%7C0c28197df0bb4ec190cc08d7159808da%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637001615036036177&amp;sdata=wmQJHRL9tNwFVden9P2TrrySSQX%2F4Ukd3eKnYfTCUTM%3D&amp;reserved=0).

Link needs permissions to view it :(

thanks,

greg k-h

[-- Attachment #2: Type: text/html, Size: 2167 bytes --]

Re: Hello Kernel Hardening

[Greg KH]

On Wed, Jul 31, 2019 at 08:33:59PM +0000, Rick Mark wrote:
> Sorry, didn’t realize the Dropbox link shortener required login.  Full link:
> 
> 
> https://paper.dropbox.com/doc/Security-Critical-Kernel-Object-Confidentiality-and-Integrity-akFs9yNQ8YxLKP3BEaHZ8

That works better, thanks!

As always, why not knock up a working prototype of your idea first and
post it?  That's how we work with kernel development.  Lots of people
have random ideas, but to see if they actually work you need a working
patch.

good luck!

greg k-h

Re: Hello Kernel Hardening

[Rick Mark]

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

Awesome,

Thanks Greg for the advice and welcome.

I'm already starting to put together one with Linaro / OP-TEE cross compiled for QEMU ARMv8.  I'll send it back out when it's working / not shameful enough to actually `git push` to a fork.

As an aside for the rest of the mailing list, hope to see you all at BSides/DEFCON/QueerCon in a week.

R
________________________________
From: Greg KH <gregkh@linuxfoundation.org>
Sent: Wednesday, July 31, 2019 10:54 PM
To: Rick Mark <rickmark@outlook.com>
Cc: kernel-hardening@lists.openwall.com <kernel-hardening@lists.openwall.com>
Subject: Re: Hello Kernel Hardening

On Wed, Jul 31, 2019 at 08:33:59PM +0000, Rick Mark wrote:
> Sorry, didn’t realize the Dropbox link shortener required login.  Full link:
>
>
> https://paper.dropbox.com/doc/Security-Critical-Kernel-Object-Confidentiality-and-Integrity-akFs9yNQ8YxLKP3BEaHZ8

That works better, thanks!

As always, why not knock up a working prototype of your idea first and
post it?  That's how we work with kernel development.  Lots of people
have random ideas, but to see if they actually work you need a working
patch.

good luck!

greg k-h

[-- Attachment #2: Type: text/html, Size: 2989 bytes --]

Re: Hello Kernel Hardening

[Greg KH]

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

A: No.
Q: Should I include quotations after my reply?

http://daringfireball.net/2007/07/on_top

On Thu, Aug 01, 2019 at 08:00:33PM +0000, Rick Mark wrote:
> Awesome,
> 
> Thanks Greg for the advice and welcome.

A bit more advice above on how the kernel developers handle email :)

> I'm already starting to put together one with Linaro / OP-TEE cross
> compiled for QEMU ARMv8.  I'll send it back out when it's working /
> not shameful enough to actually `git push` to a fork.

I would recommend reading the kernel development process documentation
as well, in the kernel source tree.  That will give you a good idea as
to how we work and how we handle reviewing patches (hint, we don't use
git trees for review).

good luck!

greg k-h