Recently, the company Edera, which is responsible for developing solutions for protect the infrastructure of Kubernetes and AI systems, has introduced OpenPaX, a draft Linux kernel patches aimed at improving security by countering vulnerabilities related to memory management.
As such, OpenPaX It is positioned as a patch-based solution for the Linux kernel, intended as an alternative to the original PaX patch, which is now included in grsecurity, providing system administrators with an additional layer of defense against memory-related security vulnerabilities.
In turn, the Linux kernel community can take advantage of these open source patches, with the possibility of some of their functionality being integrated into the mainline kernel when appropriate.
OpenPaX offers open source mitigations for runtime memory safety bugs, unlocking developers' access to critical security features while saving enterprises unnecessary support costs.
Among the most notable features by OpenPaX the W^X Mechanism is found (Write XOR Execute), which aims to improve system security by mapping memory pages. This mechanism ensures that pages cannot be created so that, allow both simultaneous writing and execution, which prevents certain types of vulnerabilities. In addition, W^X places additional restrictions by preventing pages that have been allocated for writing from being changed to an executable state.
Another feature The important thing about OpenPaX is its trampoline emulation mechanism, which allows calls to be made to functions located on the stack and memory areas where code execution is explicitly disabledDespite this restriction, trampoline emulation employs safe techniques to ensure that code can continue to execute without compromising system security. This mechanism intercepts page faults that occur when attempting to execute code in a memory region marked as non-executable, and emulates the jump required to continue execution.
Esto It is especially useful in applications that depend on libffi or GCC., which dynamically generate trampolines in the stack. In this way, OpenPaX ensures that operations involving trampoline manipulation can be performed safely, without violating the system's code execution policies.
It is mentioned that because the protection techniques implemented can interfere with the operation of JIT compilers, OpenPaX allows to selectively manage which functions are applied to executable files by using xattr and the tool paxmark.
There is also a soft mode to activate OpenPaX (via sysctl kernel.pax.softmode=1
), in which protection is disabled by default, but can be enabled for specific applications that need additional security.
“We are pleased to be able to offer this to the industry at large and as an integrated offering for our customers with Edera Protect,” said Ariadne Conill, Distinguished Engineer and co-founder of Edera and maintainer of Alpine Linux. “Until now, access to common-sense memory safety mitigations like W^X userspace required developers and enterprises to license an expensive kernel patch that they couldn’t redistribute without losing access to updated versions of the patch, potentially violating the GPL. OpenPaX changes all that for the better.”
Finally, it should be mentioned that OpenPaX is considered an unrestricted alternative to the patches of PaX from the Grsecurity project, which since 2017 It is a paid productOpenPaX patches are open to the public under the GPLv2 license, making it easy to adopt across a variety of distributions.
Currently, OpenPaX patches can be found in their GitHub repository and those interested in trying or learning more about these can obtain more information In the following link.
For its part, Alpine Linux has announced that it will include an experimental version of the kernel with these patches in the upcoming 3.21 release and plans to integrate them as a standard option in 3.22. Distributions such as Gentoo y Arch Linux, which previously offered kernel versions with PaX, could also adopt OpenPaX. In addition, the OpenPaX developers are looking to have some of its mechanisms integrated directly into the mainline Linux kernel.
If you are interested in knowing more about it, you can check the details In the following link.