http://kernsec.org/wiki/index.php?action=history&feed=atom&title=Linux_Security_Summit_2014%2FAbstracts%2FKurmus 2026-04-18T08:18:27Z Revision history for this page on the wiki MediaWiki 1.36.1 http://kernsec.org/wiki/index.php?title=Linux_Security_Summit_2014/Abstracts/Kurmus&diff=3507&oldid=prev 2014-07-15T16:16:26Z

<p>New page: == Title == Quantifying and Reducing the Kernel Attack Surface == Presenter == Anil Kurmus == Abstract == The Linux kernel ships with many features which can be, and are, exploited by...</p> <p><b>New page</b></p><div>== Title ==<br /> <br /> Quantifying and Reducing the Kernel Attack Surface<br /> <br /> == Presenter ==<br /> <br /> Anil Kurmus<br /> <br /> == Abstract ==<br /> <br /> The Linux kernel ships with many features which can be, and are, exploited<br /> by attackers. In this talk, we explore two different approaches to reduce the<br /> kernel attack surface. One at compile-time, whereby execution traces of<br /> the kernel are taken into account to automatically generate a tailored kernel<br /> configuration. Another at run-time, whereby traces are directly used at<br /> run-time to detect the use of unnecessary functions by a subset of applications.<br /> Prior to that, we will give a precise definition of the attack surface and<br /> propose ways of measuring it, to be able to objectively evaluate the benefits of<br /> such approaches. Evaluation results show that attack surface reduction is an<br /> effective approach, whether we quantify attack surface in terms of CVEs<br /> that would have prevented, or reduction of the amount of reachable code under<br /> reasonable threat models.</div>

JamesMorris