Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
PaX RAP optimization summary and ending #2
We've been doing this project from time to time in past two years. The most work is done by @fanfuqiang [a.k.a "zet"] . Our initial target was to figure out how PaX RAP work and the possibility for performance optimization. We did some modification to speed up the forward-edged CFI after analysis on how RAP being implemented as a GCC plugin and the potential issues what PaX RAP may have. zet documented( it's a Chinese version, please use Google translate) it about the findings he found:
I was a bit of confused by 3) IIRC this potential issue was also mentioned by the better-than-none solution is called kCFI resulted in the attacker is unlikely to exploit it in the real production. I wasn't sure so I confirmed it with PaX team which it is by design originally. PaX team also pointed out:
I really appreciate for PaX team's feedback that does makes more sense to me. I've been getting involved with the solution with PaX/Grsecurity for a very long time. I know some of their engineering criteria and threat model are usually more rigorous than the average case. That's why I was confusing about my misunderstanding about the design and implementation in the 1st place. This is only an experimental project. In the end, I agree with"any 'optimization' shouldn't be achieved is by eliminating instrumentation which means reducing security, especially not a wise trade-off for a security feature. We failed to see through the trade-off in the original design. Now we learned;-)
As the big changes in the current PaX RAP which becomes more powerful with complexity since the arrival of MELTDOWN/SPECTURE variants changed a lot of security measures. This project no longer need to be continued because IMOHO HardenedLinux's goal should be the possible solution for the production. I'd say RAP-optimizations ain't fit my initial ticks from now on.
Anyway, thanks for zet's hard work in past two years. Thanks for PaX team's review( this assessment is what I really need desperately). Thanks to all contributors of PaX/GRsecurity in past 18 years.