HardenedLinux: The way to the Ark

PaX/Grsecurity no longer provides the public access to test patch in Apr 26 2017. In the FAQ of the announcement, PaX team and Spender listed a couple of reasons why they do this. As some people already know, it’s not the whole story. As the result of a discussion inside h4rdenedzer0, we believe that Linux foundation is the culprit behind all this result that the commercial/individual/community users losing access to the test patches. And we support this decision PaX team/Spender has made because:

Core Infrastructure Initiative has been funded by 19 big corps( $1.9 mil per year) and organized by Linux foundation. KSPP was funded by CII in the begining. KSPP is trying to port PaX/Grsecurity features or implement similar ones (and also port PaX/Grsecurity’s implementation to more archs, e.g: arm64) to vanilla kernel. It was of very good motivation and was a very good starting point. But… till now they’ve hardly accomplished anything compared to what PaX/Grsecurity did, e.g. they ported some mitigations while introducing more (exploitable?) bugs or incomplete implementations. To make it worse, Linux foundation has been doing marketing and PR to convince the public that they are the “Neo”. Those marketing PRs blatantly steal credits from PaX/Grsecurity. AFAIK, not even one KSPP maintainer has stepped out to reveal the truth to the public, and that’s very unfortunate. One of h4rdenedzer0 member tried to talk with CII/LF but being ignored.

The ability to create stuff out of nothing( from 0 to 1) is rare. PaX/Grsecurity is the origin of OS defense mitigation and still is the most effective defense solution. If you are a GNU/Linux x86 user, you have benefited from the contribution of PaX/Grsecurity in one way or another since 2001. Your machine has some PaX/Grsecurity features to some extent. From SEGEXEC/PAGEEXEC to NX/DEP, PaX’s ASLR to vanilla/OSX/Windows ASLR, KERNEXEC/UDEREF to SMEP/SMAP( PXN/PAN on armv7/arm64), etc. For many years PaX/Grsecurity has always been leading the industry. More importantly, PaX team/Spender generously shared their work with the FLOSS world in the past 16 years. Security experts have made comments about how powerful PaX/Grsecurity is in the past couple of days( See how ppl reacted on twitter or GNU/Linux distro mailinglist). Sadly, that’s exactly how infosec is like these days: only the minority knows the truth. If most people hold the false assumption that KSPP can be the alternative defense solution, business supporters of PaX/Grsecurity will disappear. And that will be the last thing we want to see.

Closing the public access doesn’t make PaX/Grsecurity a non-free/libre software. Those who purchase subscriptions can access the source code. We don’t see GPL violated in any way here. After all, it’s PaX team/Spender’s creation and they can do anything they want. We understand why PaX team/Spender do this. No one feels the pain more than PaX team/Spender do when things like Linux foundation keeping stealing credits from PaX/Grsecurity, and big corps (WinRiver/Intel) making money out of it but never contributing back, etc, happens.

PaX/Grsecurity has been supporting the FLOSS community for a very long time While most of us never take security and privacy serious. As a supporter of Free/libre software/firmware/hardware, please ask yourself: Where were you when PaX/Grsecurity needed help? Maybe that will wipe that thought to complain out of your mind. Just as RMS once said, our future depends on our philosophy. We make the world where we live in.

If you are a security consultant, we wish you learn the truth and advise your customers about security in real sense instead of the cargo-cult drugs, which has gone too much for this small world.

KSPP becomes the burden of PaX/Grsecurity. We basically share the same view with Mathias Krause. We want the practical defense solution instead of wishful thinking in another decade.

One more quote from the interview with Spender:”There are many commentators and complainers today, especially when it involves free software, and very few people dedicating half of their life to creating useful original work. When those efforts suddenly get co-opted by companies using misleading marketing and essentially corporate-funded plagiarism, it’s not conducive to the desire to create and publish new work. So we’re refocusing our efforts back to those who respect and value our time.”. The FLOSS world has been losing real hackers like Jonathan Zdziarski, PaX team and Spender. The world is a evil place not because of too many bad people, but because of what we called “good people” who don’t do anything about it.

We’ve been sharing some of our works on security practices ( STIG-4-Debian, Debian GNU/Linux profiles, etc) for servers running in data center. PaX/Grsecurity is the corner stone to most of our solutions. Evidences have revealed that PaX/Grsecurity can defeat multiple public exploits w/o any patch fixes in critical scenarios for a long run. With PaX/Grsecurity, for the 1st time we believe that we can build the defense based on free/libre & open source software/firmware solution to prevent many threats from Ring 3/0/-1/-2/-3. HardenedLinux is going to continue develop solutions of defense based on PaX/Grsecurity. From our point of view, we see no other option. Please remember this date: Apr 26 2017. This is the day we lost our Ark.

Last but not least, we’d sincerely like to thank PaX team, Spender and other contributors of PaX/Grsecurity for the past 16 years. Because of 0ldsk00l hackers like them, this world has become a better place.

方舟之役

PaX/Grsecurity的test patch于2017年4月26日关闭公开下载。在PaX team和Spender在公告FAQ中罗列的一些为什么这么做的理由。一些人已经知道这并不是故事的全部。h4rdenedzer0经过内部讨论后，我们坚信Linux基金会是导致商业用户，个人用户和社区用户失去访问test patch的权利的罪魁祸首。以下是我们为什么支持PaX team和Spender决定的理由：

我们在过去的一段时间里也分享了一些关于运行在数据中心里的服务器的最佳实践（STIG-4-Debian, Debian GNU/Linux profiles, etc）。PaX/Grsecurity是我们方案的房角石。不少证据显示PaX/Grsecurity可以在极端场景下持续常时间不打补丁防御住公开的漏洞利用。有了PaX/Grsecurity，我们第一次坚信基于自由软件和固件的防御方案可以对抗来自Ring 3/0/-1/-2/-3的威胁。HardenedLinux会继续开发基于PaX/Grsecurity的防御方案。从我们的观点来看，真的没有其他可选方案。请记住这个日子：2017年4月26日。这是我们失去方舟的日子。

最后，我们真诚的感谢PaX team，Spender以及其他PaX/Grsecurity的贡献者在过去16年中的贡献。因为有了他们这样的oldsk00l黑客，世界可以变得更安全。