Based on the excellent by worLdle, I have replaced the country data with US states, and present: statele outflux.net/statele/

I'm really happy to see kernel IBT support land. Coarse-grained forward edge CFI! (Supported on Tigerlake and later Intel systems, and Zen3 and later AMD systems.) git.kernel.org/linus/70010521…

It feels a little bit like archaeology, but here are my notes on security things in Linux v5.10: addfd, SEV-ES, static calls, pRNG improvement, SafeSetID with gid, set_fs removal, sysfs_emit, nosymfollow, MTE, UBSAN-discovered fixes, and flex array work. outflux.net/blog/archives/…

noncombatant.org/2022/04/22/itw… @fugueish: "A big part of the purpose — or, potential — for public vulnerability announcements and reports is to teach and learn, mature the engineering culture, and above all to avoid repeating these problems" i.e. "actually describe the flaw in detail"

events.linuxfoundation.org/linux-security… The Linux Security Summit NA 2022 schedule is up! Come join us: Austin, TX, USA June 23/24.

Here's a new API for dealing with bounds-checking flexible array structs in C (i.e. to replace open-coded memcpy(): lore.kernel.org/linux-hardenin… These new helpers got redesigned so many times before I was happy with them. :P

Everyone please go add -ftrivial-auto-var-init=zero to your default build flags. :)

Fantastic write-up, confirms the benefits of CFI and auto-var-init: "automatic variable initialization ... kill[s] a whole class of bugs, but it also breaks some useful exploit primitives." "[kernel]CFI is arguably the mitigation that takes the most effort to bypass"

Here are my notes on how I've been doing "no binary change" analysis of Linux kernel patches that are meant to not change executable output, motivated by our efforts to replace 1-element arrays with proper flexible arrays: outflux.net/blog/archives/… tl;dr: diffoscope

So many interesting finds in this research! I struggle to fit even one in a tweet: "... while we may not be decreasing the # of vulns... there are indications [of] ... a notion of maturity, where vulns will be mostly absent from code older than a specific point in the past."

We've finally landed the run-time memcpy() overflow warning patch in linux-next: git.kernel.org/pub/scm/linux/… So now I'm constantly reloading a search on lore, checking if anyone has run into new instances on real work loads. :P lore.kernel.org/all/?q=%22dete…

I think -Wimplicit-fallthrough should be enabled by -Wall. Right now it's only on with -Wextra. Thoughts?

Thank you Sami Tolvanen, Peter, Joao, @nullmodem, Gustavo A. R. Silva 🐧, @nathanchance, Nick, Sedat, Josh, and everyone else who helped get KCFI developed and landed! git.kernel.org/linus/865dad20…

I've started trying to document the various things I've learned about using Coccinelle to match code patterns in the Linux kernel here: github.com/kees/kernel-to… It's hardly complete, but I wanted to start keeping notes somewhere I could find later. :)

Today's the 7th anniversary of founding the Kernel Self-Protection Project! lore.kernel.org/kernel-hardeni… We've come a long way, but there's still lots more work to do. :)