The Kernel Self-Protection Project is an ongoing effort to proactively improve kernel security and robustness by eliminating bug classes and exploitation methods. Its focus is less on using the kernel to protect userspace and more on designing the kernel to be able to defend the kernel itself from attack. Much of the work to-date has focused on getting previous efforts from Grsecurity and PaX accepted upstream.
The project was announced by Kees Cook in 2015 with funding from the Linux Foundation's Core Infrastructure Initiative (CII). The CII was succeeded by the Open Source Security Foundation (OpenSSF) in 2020 and the project has been funded by The Linux Foundation and Google together since 2021.
Slides from the presentations given by Kees Cook during the past few years are available on his website:
Scope and goals
At the outset, it was observed that the average lifetime of kernel security bugs with CVEs assigned in the "critical" and "high" priority categories was around 5.5 years on average. Rather than continuing to play a game of whack-a-mole, it makes sense to, whenever possible and reasonable:
- Eliminate bug classes
- Eliminate exploit targets and methods
- Design the kernel to fail safely
The following settings are for a 64-bit kernel on the AMD64 architecture. Disabling X86_32 is also required, but that option is not even visible if 64BIT is enabled. It is possible to enable the KSPP recommendations on 32-bit kernels and other architectures, but the settings will not be identical.
[*] 64-bit kernel General setup ---> [*] Configure standard kernel features (expert users) ---> Processor type and features ---> < > /dev/cpu/*/msr - Model-specific register support [ ] kexec system call [ ] Disable the 32-bit vDSO (needed for glibc 2.3.3) [ ] Enable the LDT (local descriptor table) Power management and ACPI options ---> [ ] Hibernation (aka 'suspend to disk') [*] ACPI (Advanced Configuration and Power Interface) Support ---> < > Allow ACPI methods to be inserted/replaced at run time Binary Emulations ---> [ ] x32 ABI for 64-bit mode General architecture-dependent options ---> [*] GCC plugins ---> Memory Management options ---> [ ] Disable heap randomization Device Drivers Character devices ---> [*] Enable TTY [ ] Legacy (BSD) PTY support [*] IOMMU Hardware Support ---> IOMMU default domain type (Translated - Strict) ---> File systems ---> Pseudo filesystems ---> -*- /proc file system support [ ] /proc/kcore support Security options ---> [*] Enable different security models Kernel hardening options ---> Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines) ---> Gentoo Linux ---> [*] Gentoo Linux support
Once the previous options are finalized, the KSPP kernel options will become visible. They can then be applied via:
Gentoo Linux ---> [*] Kernel Self Protection Project ---> --- Kernel Self Protection Project [*] Enable Kernel Self Protection Project Recommendations [*] X86_64 KSPP Settings
Enabling GENTOO_KERNEL_SELF_PROTECTION_COMMON is equivalent to enabling the following options individually:
[*] 64-bit kernel General setup ---> -*- Core Scheduling for SMT [*] Configure standard kernel features (expert users) ---> -*- BUG() support General architecture-dependent options ---> -*- Make kernel text and rodata read-only -*- Enable seccomp to safely execute untrusted bytecode -*- Stack Protector buffer overflow detection -*- Strong Stack Protector [*] Support for randomizing kernel stack offset on syscall entry -*- Default state of kernel stack offset randomization [*] GCC plugins ---> -*- Generate some entropy during boot and runtime Memory Management options ---> SLAB allocator options ---> -*- Randomize slab freelist -*- Harden slab freelist metadata -*- Page allocator randomization -*- Networking support ---> Networking options ---> -*- TCP/IP networking -*- IP: TCP syncookie support Security options ---> -*- Restrict unprivileged access to the kernel syslog -*- Harden memory copies between kernel and userspace -*- Harden common str/mem functions against buffer overflows -*- Yama support -*- Landlock support Kernel hardening options ---> Memory initialization ---> -*- Enable heap memory zeroing on allocation by default -*- Enable heap memory zeroing on free by default -*- Enable register zeroing on function exit Randomize layout of sensitive kernel structures (Limit randomization of structure layout to cache-lines) ---> Kernel hacking ---> Memory Debugging ---> -*- Enable SLUB debugging support -*- Poison pages after freeing -*- Warn on W+X mappings at boot -*- Detect stack corruption on calls to schedule() -*- KFENCE: low-overhead sampling-based memory safety error detector ---> Debug kernel data structures ---> -*- Debug linked list manipulation -*- Debug SG table operations -*- Debug notifier call chains -*- Trigger a BUG when data corruption is detected Debug Oops, Lockups and Hangs ---> -*- Panic on Oops -*- Debug credential management -*- Filter access to /dev/mem -*- Filter I/O access to /dev/mem
These options —
— may not be visible in the menus, but should show as enabled as well when searched for.
A list of recommended settings for various architectures is maintained by the project here.
The project's newer mailing list is at http://vger.kernel.org/vger-lists.html#linux-hardening, but the older one at https://www.openwall.com/lists/kernel-hardening/ is still active. The new one was created in 2020 to keep "maintenance" topics off of the openwall list. The latter is also mirrored at https://lore.kernel.org/kernel-hardening/.
- Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.
- https://samsung.github.io/kspp-study/ — In 2020, Samsung published a review of KSPP efforts: "Analysis on Kernel Self-Protection: Understanding Security and Performance Implications"
- Slide 13: https://outflux.net/slides/2021/lss/kspp.pdf
- Using Ubuntu kernel CVE tracker data
- Slide 4: https://outflux.net/slides/2021/lss/kspp.pdf