The number of defenses is pretty impressive. The number of out-of-tree and commercial defenses is also impressive. The amount dedicated to specifics of C (UB, bounds checks, use-after-free) is relatively small.
It would be interesting to compare to, say, OpenBSD, with its apparently numerous security and defense-in-depth features.
I find it inspiring that we are getting to where we are dealing with models that classify vulnerabilities at a systems level. However I also think we are kind of barking up the wrong three. There is IMHO something wrong with the current strategy of scaling up the von Neumann architecture. It leads to fragile software partitioning, noisy neighbors and both slow and sometimes unintended communication through shared memory. I’ve tried to lay this out in detail here https://lnkd.in/dRNSYPWC
Really solid conceptual map — not just for kernel devs, but also useful if you're working in Rust, Zig, or any low-level system code.
Has anyone come across a similar visual breakdown for Wasm runtimes, especially around sandboxing and isolation models?
> This map describes kernel security hardening. It doesn't cover cutting attack surface.
For those wondering why SECCOMP is ommited.
Do these settings persist if I update the kernel on my ubuntu server?
This is by the author of the very helpful kernel-hardening-checker: https://github.com/a13xp0p0v/kernel-hardening-checker
An interesting tool for analyzing your personal kernel config file and pointing out areas for security improvement. It's more comprehensive than KSPP (https://kspp.github.io/) but sometimes goes a little too far, suggesting disabling kernel features you may actively use.
Definitely worth trying!