PaX/Grsecurity for Android msm kernel code base( 3.4)

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

PaX/Grsecurity for Android msm kernel code base( 3.4)

Postby sth0R » Thu Jun 11, 2015 5:25 am

The porting work of the PaX patch already done. We tested it with Towel & KINGROOT. The result as expected: they all failed to root the Android 5.0.2 with kernel code base from 2014. Perhaps, we might try to make GRSEC & RBAC into the Android in the future………

http://hardenedlinux.org/jekyll/update/ ... -2013.html

Some friends asked me what's the most headache things during the porting job. Well, I guess porting PaX/Grsec is similar to any other porting work. | read the fuc*ing source code-->compare->merge->compile->debug | and, that's it;-)

Thanks to the PaX team and Spender and some other dudes who contribute to PaX/Grsecurity( more or less). PaX/Grsecurity has been making defense-in-depth in kernel level for real.

May the force be with you!
sth0R
 
Posts: 9
Joined: Fri May 09, 2014 11:03 am

Re: PaX/Grsecurity for Android msm kernel code base( 3.4)

Postby spender » Thu Jun 11, 2015 8:51 am

The porting strategy is missing some steps ;) When we port to another kernel, we also ensure that the new code present in that kernel doesn't somehow undermine our protections. We perform regression tests against every distributed patch and maintain backports of security fixes across all supported kernels. FTR, the PaX patch contains very few security backports -- at least 95% of them are entirely in the grsecurity patch. I appreciate your enthusiasm, but there's a lot more effort that goes into officially supported patches.

For transparency, what was the filename/date of the PaX patch used as the basis for the port?

-Brad
spender
 
Posts: 2183
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: PaX/Grsecurity for Android msm kernel code base( 3.4)

Postby sth0R » Thu Jun 11, 2015 12:31 pm

spender wrote:The porting strategy is missing some steps ;) When we port to another kernel, we also ensure that the new code present in that kernel doesn't somehow undermine our protections. We perform regression tests against every distributed patch and maintain backports of security fixes across all supported kernels. FTR, the PaX patch contains very few security backports -- at least 95% of them are entirely in the grsecurity patch. I appreciate your enthusiasm, but there's a lot more effort that goes into officially supported patches.


That's for sure. I only did this port as a PoC to prove it to myself that Android can be protected under PaX/Grsec. So there are indeed a lot of missing parts, including new features( UDEREF, etc) and some other hardening code. I may continue the further work if I could find the slot in the future.

spender wrote:For transparency, what was the filename/date of the PaX patch used as the basis for the port?

-Brad


Ohh, s0rry about that. This work is based on: pax-linux-3.4.8-test32.patch. And I also takes pax-linux-3.2.69-test175.patch & pax-linux-3.8.13-test24.patch as reference ones.
sth0R
 
Posts: 9
Joined: Fri May 09, 2014 11:03 am

Re: PaX/Grsecurity for Android msm kernel code base( 3.4)

Postby sth0R » Fri Jun 12, 2015 12:12 am

btw: perhaps someone may do the better work and I'm looking forward to see they release the source code;-)

https://copperhead.co/2015/06/11/android-pax
sth0R
 
Posts: 9
Joined: Fri May 09, 2014 11:03 am

Re: PaX/Grsecurity for Android msm kernel code base( 3.4)

Postby strcat » Sun Jun 14, 2015 12:11 am

Ideally, Intel would wipe the floor with ARM on mobile and we wouldn't have to deal with this insanity anymore :P.

The Copperhead kernel repositories (Samsung S4 and Nexus 5) for 3.4 aren't much different from what you've done. I don't think it makes much sense to invest a lot of time in 3.4 at this point because new Android devices are starting to ship with the 3.10 kernel and the lifetime of PaX's 3.2 LTS will be coming to an end. The main reason they're not yet public is because I didn't want my efforts to be judged based on an early proof of concept.

The OS will probably be alpha/beta-quality for the lifetime of 3.4, so significant improvements over vanilla while not matching a true grsecurity kernel with features beyond the PaX baseline and more security backports than Google/CyanogenMod provides is perfectly fine. Android is a lot more than the kernel, and most of the effort is going to be focused elsewhere in userspace. Spending less time on a kernel for old devices means spending more time on work that's going to be useful for a long time. Lots of the userspace improvements can also be upstreamed without too much of a struggle, which means spending more time developing new stuff instead of rebasing over and over and then migrating code to new Android versions.

I'd like to do a higher quality port for the 3.10 msm tree and closely follow the upstream 3.14 LTS, but I need to get my hands on a device that's using 3.10 first. This could be mature by the time 3.10 is the most common Android kernel and would hopefully last for some time.
strcat
 
Posts: 20
Joined: Tue Jun 10, 2014 12:22 pm


Return to grsecurity development