Linux Security Summit 2021

This presentation will cover the last two years of the Kernel Self-Protection Project. The project continues to eliminate classes of bugs and block exploitation techniques in the kernel. First we'll review of all the security defenses that landed in kernels 5.3 through 5.13. Some highlights are improved heap sanity checking, better entropy, generic refcount_t, sane API size argument limits, array bounds checking, shadow call stack, control flow integrity, stack variable zeroing, and set_fs() removal. Then we'll take a quick look at the evolution of kernel CVE lifetimes, counts, and bug classes with a focus on buffer overflows over the last few years. Additionally, we'll have a summary of kernel testing as seen through the lens of kernelci.org. Finally, there will be an overview of what defenses are still under development, and a review of some areas where help is especially needed.