STE WILLIAMS

The gurus behind the popular and respected Linux kernel hardening service Grsecurity have decided to stop providing support for its stable offering.

Patches will be ceased in the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its trademark.

Grsecurity man Brad Spengler says he has “had enough” of the embedded device industry ripping of his company’s efforts, trashing its trademarks and breaching the GPL, without donating “a single dime”.

The straw that broke the camel’s back was an incident in which Spengler says “A multi-billion dollar corporation had made Grsecurity a critical component of their embedded platform.”

Spengler’s not no problem with that, but is concerned “… they’re using an old, unsupported kernel and a several year old, unsupported version of grsecurity that they’ve modified.” That gets Spengler’s goat, because he thinks it is typically slack practice “for the embedded Linux industry, seemingly driven by a need to mark a security checkbox at the lowest cost possible. So it’s no surprise that they didn’t bother to hire us to perform the port properly for them or to actively maintain the security of the kernel they’re providing to their paid customers.”

But Spengler can’t tolerate the fact “The aforementioned company has been using the grsecurity name all over its marketing material and blog posts to describe their backported, unsupported, unmaintained version in a version of Linux with other code modifications that haven’t been evaluated by us for security impact.”

“Simply put, it is NOT grsecurity – it doesn’t meet our standards and at the same time it uses our brand and reputation to further its marketing.”

“They are publishing a ‘grsecurity’ for a kernel version we never released a patch for.”

“We decided that it is unfair to our sponsors that the above mentioned unlawful players can get away with their activity [and] we will cease the public dissemination of the stable series and will make it available to sponsors only,” Spengler says in a statement.

“The test series, unfit in our view for production use, will however continue to be available to the public to avoid impact to the Gentoo Hardened and Arch Linux communities.”

“If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat’s or eventually stop the stable series entirely as it will be an unsustainable development model.”

Grsecurity adds various host-based defences and extra support to PaX’s bruteforce deterrence, anti-information leaking of ASLR, and blocking arbitrary code execution at the filesystem level. It includes a lot of set it and forget it automatic features while trying to prevent admins from harming themselves, and is used by most who rely on hardened Linux.

Neal Wise, director of penetration testing firm Assurance.com.au and Unix geek says the decision is a tragic one that could most affect hosting providers who distribute Linux images containing grsecurity’s popular deep security access controls.

There has been a very a long history of companies not paying for the cost of the open source engineering they rely on,” Wise says.

“And it hurts to see people trading on your name and not compensating.

“I find it really rich that someone would string them along with a legal fight when those engineers use their open source technology.”

It will be difficult to replace the grsecurity’s patching efforts as they were very targeted. People with the necessary skills to take up the task likely already work in the organisation.

On the flip side it means attacks against future vulnerabilities will be complicated and probably rare.

Melbourne security bod Edward Farrell of Mercury Information Security says it is shame that the open source project was forced to quit, given it is useful and stable.

“Companies are taking advantage of published free tools without paying and that screws people over and makes things more insecure,” Farrell said. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/08/27/grsecurity/