Maintaining the Unmaintainable: Picking up the Baton of a Secure Kernel Patchset

C3 | Fri 25 Jan | 2:25 p.m.–3:10 p.m.

Presented by

  • Matthew Ruffell

    Matthew Ruffell is a PhD student at the University of Canterbury, and is strongly interested in computer security. His PhD research is focused on using symbolic execution to automatically discover vulnerabilities in the Linux kernel, and to develop a multi level security operating system. Past research involved using symbolic execution for automatic exploit generation of basic micro controller firmware for his Honours degree. Matthew is also interested in entrepreneurship, and tries to find ways to combine security and fresh business ideas. His current startup is Dapper Linux, a Linux distro which provides a high level of security out of the box, and does so with excellent ease of use. After working on public speaking a great deal, Matthew took part in the University startup business incubator summer programme, and pitched Dapper Linux on the final awards night to a crowd of local business professionals. When he is not working on his thesis, tutoring students in labs, or working on Dapper Linux, Matthew enjoys partner dancing, exploring New Zealand, collecting Kiwicon T-Shirts and tinkering with vintage Apple Macintoshes.


The world of kernel security forever changed on April 26th 2017, when Open Source Security Inc published a press release announcing that they are no longer making their grsecurity kernel patchset available to the public, and that they are "handing over future maintenance of grsecurity test patches to the community". Citing their wishes for newcomers to experiment with new ideas, and that the future will be shaped by the next generation, they challenged the world to continue maintenance on grsecurity themselves. Left with little more than the previous patch to 4.9.24, and the knowledge that 4.9 will receive back ported fixes from upstream for two years, it was clear that there were large shoes to fill. At the time, I was building my distro, Dapper Linux, and one of its key value propositions is running a grsec kernel out of the box. Feeling left high and dry, and unwilling to give up on the technological advancements that the patchset provides, I decided to learn kernel development, and attempt to maintain the patchset as a complete kernel newbie. In this talk, we will have a look at the internals of the patchset, and what features are provided, slightly touch on the politics surrounding the patchset (and epic flamewars on the kernel-hardening list). We will also see what I have done to keep the patchset alive, and my attempts to forward port the patchset to newer major kernel versions, as well as the typical maintenance for 4.9 LTS. We will also see how a kernel newbie became the sole maintainer of the patchset in its entirety, and the roadblocks that have arisen that have caused far more experienced developers to give up. Finally, we will talk about what the future holds, once support for 4.9 LTS ends in Jan 2020.