Linux kernel mitigation checklist

We should treat security as a whole, just like the combination of PaX/Grsecurity features/code hardening build up a defense-in-depth solution for Linux kernel, which is a core infrastructre we are highly rely on. PaX/Grsecurity is a set of security hardening specific patch that brings the linux kernel security into another level. It's a great value to make all FLOSS community getting benefit from it. KSPP( Kernel self protection project) was started in Nov 2015 after a disclosure about linux kernel security.


由于stack overflow而引发的攻击非常普遍也非常古老,有一种叫做canary的mitigation技术很早就出现在gcc/glibc里,直到现在也作为系统安全的第一道防线一直存在.