Security Improvements Added in the Latest Linux 4.6
After a long wait, Linux 4.6 was finally released on May 15, 2016. The latest release to the stable branch of Linux is a welcome update, introducing as it does some significant updates. In particular, Linux has beefed up its security, protecting users more robustly against potential bugs and other threats. The following is an overview some of the main security improvements added to Linux 4.6.
Heightened Data Structure Protection
One key security improvement to Linux 4.6 is that it affords users write-only protection to all data structures. This means you don’t have to worry about unintentional overwrites doing harm to portions of memory, as they simply aren’t allowed. This security enhancement works via the “__ro_after_init” feature, which renders data structures and global kernel variables read-only after they have been initialized, thus protecting you from unwanted modification at runtime.
GRSec Merges Make Linux More Secure from the Get-Go
In addition, Linux 4.6 integrates significant portions of the security patch set GRSec, merging them into the kernel build itself. GRSec (short for GRsecurity) employs intelligent access control to protect you against a wide array of security threats, including memory corruption exploitation, zero day bugs, and kernel exploitation in general. Now that much of GRSec is built into the 4.6 kernel release, you are automatically protected against even more sophisticated attacks, as GRSec is based on numerous exploit prevention techniques, meeting would-be attackers head-on with complexity, unpredictability, and an active response system.
Security Improvements and Boosts to EFI
Yet another host of security improvements can be found in terms of Linux 4.6’s Extensible Firmware Interface (EFI), which now isolates the EFI code employed by secure boot mechanisms, thus executing firmware code separately from the rest of the kernel. The latest release also enables interrupts during regular Unified Extensible Firmware Interface (UEFI) executions, and introduces various x86 EFI improvements, such as EFI memory mapping with non-executable attributes.
Security Improvements for 32-Bit Apps
Linux 4.6 also boosts security for 32-bit apps. For one thing, it enables full Address Space Layout Randomization (ASLR) for such programs, meaning that all objects, and not just stacks and executables, are totally randomized, thus preventing potential attackers from exploiting non-randomized areas. Furthermore, the 4.6 release blocks attackers from disabling randomization by ridding them of the ability to set the ulimit stack to “unlimited,” and by introducing security checks to defend against “ADDR_NO_RANDOMIZE” personality flags in setuid/setgid apps.
Other Security Boosts
There are various other security improvements packaged with Linux 4.6, too many to list here. But some of the other outstanding security features include support for Integrity Measurement Architecture (IMA) policy measurement and appraisal, as well as the required signature of IMA policy to add additional rules; kexec image and intiramfs support; keys to allow reserved areas for inserting certificates without the need to recompile; and the addition of script/sign-file support for kernel modules.