There are a number of desired Linux Kernel hardening projects that are inactive and do not have an owner. This page gives details on some of them. If you plan to contribute (or are already contributing) to one of these projects, please email the kernel-hardening mailing list at email@example.com and mention what you're covering.
Security Code Review Guidelines
This project is an effort to provide a reference that educates subsystem maintainers on what to look for when performing security reviews/audits. This would include various classes of common coding vulnerabilities and how to detect them, as well as other best practices, such as not leaving private keys laying around.
This project would provide support to determine if patches have been modified or tampered since they were signed.
Verification of Critical Subsystems
This project would provide verification of critical subsystems such as:
- Network file systems
- Cryptographic library
- Kernel build infrastructure
This could include approaches such as manual audits, static analysis, fuzzing testing, etc.
There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Linux. They have been controversial, so attempts have been made to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations.
A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user).
The solution is to not permit symlinks to be followed when users do not match, but only in a world-writable sticky directory (with an additional improvement that the directory owner's symlinks can always be followed, regardless who is following them).
Some links to the history of its discussion:
- 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2
- 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html
- 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4
- 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html
Past objections and rebuttals could be summarized as:
- Violates POSIX.
- POSIX didn't consider this situation, and it's not useful to follow a broken specification at the cost of security. Also, please reference where POSIX says this.
- Might break unknown applications that use this feature.
- Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't.
- Applications should just use mkstemp() or O_CREATE|O_EXCL.
- True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability.