Export of Github issues for a13xp0p0v/linux-kernel-defence-map.
#7 Issue closed: How do I use this?
frakman1 opened issue at 2022-10-05 14:41:
I don't understand the relationship between this project and kconfig-hardened-check
I see that you have a .dot file that you use a tool (dot) to generate the .svg diagram from, but how do you generate the .dot file in the first place?
Can I use kconfig-hardened-check to generate such a diagram? I don't see a way to generate a .dot file from kconfig-hardened-check.
a13xp0p0v commented at 2022-10-07 15:28:
Hello @frakman1,
The .dot file describing the Map is written manually.
And I created the kconfig-hardened-check tool to check some kernel options that you see at the Map.
#6 Issue open: Try other visualizations of the Map
Labels: enhancement
a13xp0p0v opened issue at 2022-07-03 11:00:
The Map is quite complex. Let's try other graph visualizations, maybe make it interactive and see how it works. Example: https://d3-graph-gallery.com/
a-andreyev commented at 2022-08-24 19:21:
I don't know a ready-to-use solution, unfortunately. I want to share search keywords. I guess it would be helpful.
Talking from an academic point of view, I've heard there is also a need for such tools. Search keywords: the semantic web, ontologies, knowledge bases. (see also: AI winter, knowledge engineering, logic programming). Hard to cover it in a post.
Talking about more practical things, I've heard about ontodia.org tool, which is probably a part of metaphacts project currently (if I'm not mistaken). So, it looks like it also makes sense to search for a regular visualization framework and try to adapt it to the subject area.
Therefore, data format related keywords are probably: json-ld visualization, ttl rdf visualization, graphviz visualization. UI related keywords: d3js, plotly.
Some related projects I've found:
- https://networkx.org/
- https://github.com/science-periodicals/jsonld-vis
- https://github.com/roholazandie/graph_drawing (https://hilbert-cantor.medium.com/network-plot-with-plotly-and-graphviz-ebd7778073b)
- https://cneben.github.io/QuickQanava/index.html (didn't tried it, but it's in Qt/QML, since I'm a fan 🤓 )
Maybe some game engines/sdks also could be helpful, but I have no experience with it.
#5 Issue closed: Improve the Control Flow Integrity part of the Map
Labels: enhancement
a13xp0p0v opened issue at 2021-12-11 22:38:
The Map should have separate nodes for Forward-edge CFI and Backward-edge CFI.
a13xp0p0v commented at 2021-12-11 23:14:
Introduced the Control Flow Integrity cluster
Changes:
- Add cluster_cfi with Forward-edge CFI and Backward-edge CFI
- Rename "CFI_CLANG" to "ARM: CFI_CLANG"
- Move SHADOW_CALL_STACK to child nodes of cluster_cfi
- Separate ARM64_PTR_AUTH and ARM64_BTI_KERNEL
- Describe new connections
#4 PR merged: Add CONFIG_ZERO_CALL_USED_REGS information (https://git.kernel.org/pub/scm/linux/…
MenV1S opened issue at 2021-10-02 12:52:
…kernel/git/torvalds/linux.git/commit/security/Kconfig.hardening?id=a82adfd5c7cb4b8bb37ef439aed954f9972bb618)
a13xp0p0v commented at 2021-10-24 13:31:
Hi @MenV1S, thanks for your PR!
Yes, ZERO_CALL_USED_REGS is related to ROP.
However, it is not related to Info Exposure, which is about infoleak between the kernelspace and userspace.
Could you please fix your commit and force-push your branch?
Also, would you like to generate the svg and update it in a separate commit?
Thanks! Alexander
#3 PR closed: Link nodes to corresponding CWE records
Self-Perfection opened issue at 2019-06-27 12:31:
Make nodes in generated SVG clickable when viewing in webbrowser.
This is auto edit made with
sed -i 's|\([^"]*(CWE-\([0-9]*\))[^"]*"\);$|\1 [URL="https://cwe.mitre.org/data/definitions/\2.html"];|' *dot
missing some nodes. Mostly as an example to illustrate suggestion to make nodes in SVG linked to something relevant. Uses URL property.
a13xp0p0v commented at 2019-06-28 21:48:
Hello @Self-Perfection, Thanks for the idea.
Yes, this automatic edit both missed some vulnerability classes and added surplus information to the link descriptions. Would you like to fix it carefully and re-push this again? (otherwise no problem, I'll fix it myself)
Thanks!
Self-Perfection commented at 2019-06-29 08:47:
Please make required adjustments, I don't want to put too much effort in this proposal.
a13xp0p0v commented at 2019-07-01 10:51:
Thanks @Self-Perfection, I've finished and merged this work.
#2 PR merged: Add CWE-200 to list of bugs detectable by KMSAN
ramosian-glider opened issue at 2018-10-23 12:48:
To some extent, KMSAN can detect info exposures (aka information leaks). E.g. it reports copying of uninitialized stack/heap data to the userspace. See https://github.com/google/kmsan/wiki/KMSAN-Trophies for examples.
a13xp0p0v commented at 2018-10-24 08:49:
Hello @ramosian-glider, Thanks a lot for your pull request!
#1 PR merged: Add address limit check on user-mode return which detects unbalanced …
idl3r opened issue at 2018-06-14 07:57:
…set_fs issues
a13xp0p0v commented at 2018-07-04 12:29:
Hey, @idl3r, thank you very much! I'll name it as 'TIF_FSCHECK flag' for easier search, OK?
idl3r commented at 2018-07-04 12:43:
Of coz, thank you!
a13xp0p0v commented at 2018-07-04 15:29:
Applied, thanks @idl3r