Explore the latest developments in the Kernel Self-Protection Project in this 25-minute conference talk by Kees Cook from Google. Gain insights into the project's efforts to eliminate bug classes and block kernel exploitation techniques. Learn about security defenses implemented in kernels 4.19 through 5.3, including stack and heap auto-initialization, heap mapping robustness, per-task stack canaries, VLA removal, and implicit-fallthrough removal. Discover the progress on upstreaming Control Flow Integrity (CFI) and examine the evolution of kernel CVE lifetimes. Get an overview of ongoing defense developments and areas requiring further assistance. The presentation covers topics such as bugfighting, exploitation methods, memory safety languages, and upcoming features, concluding with a discussion of challenges and a Q&A session.
Kernel Self-Protection Project: Eliminating Bug Classes and Blocking Exploitation Techniques
Overview
Syllabus
Intro
Why is this important
Bugfighting
Car analogy
Killing bugs
Killing bug classes
Exploitation methods
Memory safety languages
Kernel Subduction Project
Kernel Updates
Vulnerabilities
Conversions
Bugs
More conversions
Expected for 53
Upcoming features
Challenges
Questions
Taught by
Linux Foundation
