Grsecurity® is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 15 years. Commercial support for grsecurity is available through Open Source Security, Inc.
Defends against Zero-Day
Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities.
Mitigates shared/host container weaknesses
In any kind of shared computing environment, whether it be simple UID separation, OpenVZ, LXC, or Linux-VServer, the most common and often easiest method of full system compromise is through kernel exploitation. No other software exists to mitigate this weakness while maintaining usability and performance.
Goes beyond access control
Unlike the LSMs you’re used to, grsecurity tackles a wider scope of security problems. While access control has its place, it is incapable of dealing with many real-life security issues, especially in webhosting environments where an attacker can fraudulently purchase local access to the system. To see what you’re missing out on by relying on just access control, see our feature comparison matrix.
A major component of grsecurity is its approach to memory corruption vulnerabilities and their associated exploit vectors. Through partnership with the PaX project, creators of ASLR and many other exploit prevention techniques — some now imitated by Microsoft and Apple, grsecurity makes many attacks technically and economically infeasible by introducing unpredictability and complexity to attempted attacks, while actively responding in ways that deny the attacker another chance.
Integrates with your existing distrubution
Grsecurity confines its changes to the Linux kernel itself, making it possible to use with any distribution or device: embedded, server, or desktop. Use your existing distribution’s kernel configuration if you wish and answer a simple series of questions about your use case to optimally configure grsecurity automatically. X86, ARM, or MIPS — grsecurity has been developed for and used on them all and many more
Has a proven track record
Grsecurity has been developed and maintained since 2001, from the very first 2.4 Linux kernel to the latest and greatest 4.x. In addition to tracking the latest stable kernel, we provide stable releases for both the 3.14 and 4.4 kernels with additional security backports.
We stay on top of — and in many cases drive — the state of the art in security research. While the security teams of Linux distributions react to the latest widespread exploit simply by fixing the associated vulnerability, we quickly work in addition to close down any new exploit vectors, reduce the chance of similar vulnerabilities, and insert additional roadblocks for ancillary techniques that made the exploit possible or reliable.
As a result of this extensive approach, it is not uncommon to find in the event of a published exploit, particularly against the kernel, that the exploit’s success is prevented by several separate features of grsecurity.
Features of GRSecurity
Memory Corruption Defenses
- Highest performance and most secure ROP defense
- Industry-leading ASLR
- Bounds checks on kernel copies to/from userland
- Prevents direct userland access by kernel
- Prevents kernel stack overflows on 64-bit architectures
- Hardened userland memory permissions
- Random padding between thread stacks
- Hardened BPF JIT against spray attacks
- Automatically responds to exploit bruteforcing
- Chroot hardening
- Prevents users from tricking Apache into accessing other users’ files
- Eliminates side-channel attacks against admin terminals
- Provides Trusted Path Execution
- Hide other users’ processes for unprivileged users
- Prevents ptrace-based process snooping
- Prevents attackers from auto-loading vulnerable kernel module
- Prevents dumping unreadable binaries
- Enforces consistent multithreaded privileges
- Denies access to overly-permissive IPC objects
- Automatic full system policy learning
- Human-readable policies and logs
- Intuitive design
- Automated policy analysis
- Unconventional features
- Stackable with LSM
For more information