EDERA, a company specializing in developing solutions for protecting Kubernetes and AI systems, recently unveiled the Openpax project. This project consists of a set of patches aimed at enhancing the security of systems by implementing counteracting methods against vulnerabilities that arise from memory-related errors. Openpax is positioned as a counterpart to the pax patch set from the grsecurity project, which has been only available as part of a paid product since 2017. The Openpax achievements are open to the public under the GPL v2 license and can be found on GitHub.
The developers behind Alpine Linux have announced their intention to include an experimental build of the kernel with Openpax patches in the upcoming release, with plans to make it a standard feature in version 3.22. Gentoo and Arch Linux distributions, which previously offered the Linux kernel with PAX patches, can also leverage Openpax. Additionally, the Openpax developers hope to incorporate some of their protection mechanisms into the mainline kernel.
Key features of Openpax include the Memory of the W^X mechanism, which prevents the creation of memory pages that can be simultaneously written to and executed. The project also implements an emulation mechanism that allows the use of stack and heap for code execution. To address potential conflicts with Just-In-Time (JIT) compilers, users can utilize XATTR and the PAXMARK utility to selectively control Openpax capabilities for executable files. Furthermore, there is a soft activation mode for Openpax, where it can be selectively enabled for specific applications by setting Kernel.pax.softmode = 1 in the sysctl configuration.
The latest developments and releases related to Openpax can be found on Openwall.