Today's release of grsecurity® for the Linux 4.5 kernel marks an important milestone in the project's history. It is the first kernel to contain RAP, a patented defense mechanism against code reuse attacks. RAP was announced to the world at the H2HC conference in October 2015 and represents the best available solution of its type. RAP is the result of our multi-years research and development in Control Flow Integrity (CFI) technologies by PaX. It ground-breakingly scales to C and C++ code bases of arbitrary sizes and provides best-effort protection against code reuse attacks with minimal performance impact. The public version of RAP available in the grsecurity test kernels from now on demonstrates a subset of the features in the full version, available today for commercial licensing from Open Source Security, Inc. The demo version will evolve over time, but is currently tailored for x64 kernel use only and does not support C++, link-time optimization, compile time static analysis, and probabilistic return address protection. In addition, the demo's GPLv2 license excludes userland applications due to the GCC library runtime exception for GCC plugins.
For a technical deep-dive into RAP, please read the PaX Team's H2HC 2015 presentation. For a less-technical description everyone can understand of the history of code reuse attacks, how RAP works, and why it's a ground-breaking defense, we've prepared a FAQ. RAP is available commercially today. Reach us at firstname.lastname@example.org for details.
Brad Spengler & The PaX Team