Talks Understanding Gentoo Hardened

Gentoo Hardened is a GNU/Linux distribution focused on making attacks harder to succeed.

In this talk we will cover the different ways in which Gentoo Hardened allows you to reduce or mitigate the risk of known attacks techniques and will also explain how other techniques can be used to mitigate the impact after an attacker carries out a successful exploit.

Finally we will cover how a simple Gentoo Hardened install differs from a normal Gentoo install and explain what is the current situation after Grsec stopped publishing patches and how to keep your kernel up to date for the interim.

During the camp, there will also a Gentoo Hardened developer available to give you a hand during install.

Talk schema:

  • Userspace hardening
  • SSP
  • PIE/PIC (and ASLR)
  • -D_FORTIFY_SOURCE=2
  • RELRO and full binding
  • StackCheck
  • Kernel hardening:
  • ASLR and KSALR
  • UDEREF
  • RAP
  • NX memory and RWX restrictions
  • Reference counter overflow prevention
  • Free memory/kernel stack sanitization
  • Constification and RO memory
  • Bounds checking on transfer
  • Userspace restrictions of privileged operations
  • Information hiding
  • Brute force deterrence
  • Module autoloading prevention
  • Chroot jails
  • MACs (SELinux/RBBAC/RSBAC)
  • ptrace restrictions
  • Blackholing and LAST_ACK protection
  • Active kernel exploit response
  • Kernel auditing
  • Choosing a hardened kernel:
  • Minipli's sources
  • linux-hardened sources
  • Vanilla/Gentoo sources and KSPP
  • Differences when installing Gentoo Hardened


Instances

  • Wednesday Aug. 23 17:30 - 18:30

Speakers