Differences between revisions 16 and 17
Revision 16 as of 2014-03-06 10:17:58
Size: 3568
Editor: ?Mempo
Comment:
Revision 17 as of 2014-03-06 10:32:45
Size: 5300
Editor: ?Mempo
Comment:
Deletions are marked like this. Additions are marked like this.
Line 34: Line 34:

<<Anchor(compatibility)>>
== Compatibility ==

Grsecurity has many options
 * toggable in kernel configuration (compile-time)
 * then some more settings can be set on run or boot
 * finally RBAC profile can be loaded

Depending on thoes settings you get various speed and compatibility.
See [[Mempo#variants]] for the options provided by [[Mempo]] in their kernel.

In general following things could be blocked:
 * you need to run the script [[grsecurity/setfattr]] or programs using JIT, especially java, python and javascript using - implying also firefox (iceweasel), thunderbird etc will be blocked by PAX
 * binary drivers, including video drivers like propertiary NVidia or Radeon in general will probably not work on higher levels, but they are security risk
 * almost all video drivers even the open-ones would be blocked by [[Mempo#variant-good|good]] security, which is meant mostly for headless (or text) servers. In future a patched Xorg program would allow them to run probably (it's about blocking kmem and ioport access - which blocks important route of attacking kernel by modifying raw memory)
 * possibly wine would be blocked by the no-0-addess thing? (possibly tunable in runtime?)

Things that work:
 * open source video drivers (at least on some levels)
 * other open source and built-in drivers - HOW EVER you might need to modprobe load the modules manually for some things
 * KVM visualization is known to work (as the host)
 * KVM visualization as the guest also works (using this kernels on a system in KVM VM)
 * all other normal operation for Desktop and Server
 * members of Mempo team along with friends used grsecurity on their primary Desktops for year+ without trouble

Translation(s): none


grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security.

  • (./) protects kernel. Regular Debian kernels, even with SE Linux are open to many forms of kernel bugs until given bug is patched. While grsecurity uses various hardening strategies to stop even unknown yet (0 day) bugs - additional checks, randomization of layout (more then regular kernel does), protecting memory from write access.

  • (./) provides RBAC protection similar to SE Linux (TODO: comparsion) This needs to be configured in user-space to have effect.

  • (./) protects applications from unknown bugs by changing their memory to RO (read-or-execute), randomizing their layout and providing other help from kernel side to them

  • (./) fixes security of chroot turning it into real, unescapable chroot-jail

  • (./) various misc security upgrades

The official wiki of grsecurity: https://en.wikibooks.org/wiki/Grsecurity

Wikipedia: grsecurity

Using in Debian

Not in official Debian

Sadly it seems Debian Kernel team will not include grsecurity kernel into official Debian, because of amount of work related to grsecurity not being part of Linux upstream

You can build kernel yourself

http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-kernel-org-package

You can use Corsac repository

Corsac, the security researcher working with Debian, provides grsecurity patched kernels for Debian in own repository http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

You can use Mempo work

icon/ver8.png this work is in beta-testing, but is usable right now :) ! ?Mempo project brings grsecurity enhanced, reproducible kernel to Debian and works on entire hardened-Debian system.

Installation - follow this instructions: ?/Mempo#install for entire Mempo, or just SameKernel#grsecurity for just the grsecurity-kernel.

Compatibility

Grsecurity has many options

  • toggable in kernel configuration (compile-time)
  • then some more settings can be set on run or boot
  • finally RBAC profile can be loaded

Depending on thoes settings you get various speed and compatibility. See ?Mempo#variants for the options provided by ?Mempo in their kernel.

In general following things could be blocked:

  • you need to run the script grsecurity/setfattr or programs using JIT, especially java, python and javascript using - implying also firefox (iceweasel), thunderbird etc will be blocked by PAX

  • binary drivers, including video drivers like propertiary NVidia or Radeon in general will probably not work on higher levels, but they are security risk
  • almost all video drivers even the open-ones would be blocked by ?good security, which is meant mostly for headless (or text) servers. In future a patched Xorg program would allow them to run probably (it's about blocking kmem and ioport access - which blocks important route of attacking kernel by modifying raw memory)

  • possibly wine would be blocked by the no-0-addess thing? (possibly tunable in runtime?)

Things that work:

  • open source video drivers (at least on some levels)
  • other open source and built-in drivers - HOW EVER you might need to modprobe load the modules manually for some things
  • KVM visualization is known to work (as the host)
  • KVM visualization as the guest also works (using this kernels on a system in KVM VM)
  • all other normal operation for Desktop and Server
  • members of Mempo team along with friends used grsecurity on their primary Desktops for year+ without trouble

Performance

Comparing performance

2014-03-03

Test on Wheezy, amd64, no RBAC, Mempo 0.1.28 (kernel 3.2.55) on ?good variant (high security - almost all grsecurity options).

  • CPU only - 100% (povray rendering of raytraced image, on a desktop) - the same (actually seemed a bit better, possibly to measurement errors, or our kernel giving less priority to background task distrations).
  • CPU/sys/disk - 70% (compilation of povray c/c++ from it's source code, on a desktop)
  • disk only - not tested (we expect the transfers to be same but syscals slower).

In conclusion, in general usage expect 70-100% performance, while benefiting from the very high security of kernel and protection for applications.

Performance old version (could be less correct)

Time of Nano compilation, CPU and disk usage) Debian with default kernel and kernel with Grsecurity (Mempo).

https://p.suchdig.com/p/cwm-Performance_compare_pdf-perf_comp.pdf

Conclusions: with Grsecurity hardened kernel, on security setting -good, General tasks like compilation seem to be 30-40% slower, disk usage speed seems to be the same and compilation time requires to be benchmarked more.

In ?near future we plant to release other settings, allowing user to choose a bit lower security while gaining performance, or even higher one for most paranoid setup.