OpenPaX: Open-source kernel patch that mitigates memory safety errors

OpenPaX is an open-source kernel patch that mitigates common memory safety errors, re-hardening systems against application-level memory safety attacks using a simple Linux kernel patch. It’s available under the same GPLv2 license terms as the Linux kernel.

“We are pleased to be able to bring this to the industry at large and as an integrated offering for our customers with Edera Protect,” said Ariadne Conill, distinguished engineer at Edera and maintainer of Alpine Linux. “Until now, access to common-sense memory safety mitigations such as userspace W^X required developers and companies to license an expensive kernel patch that they could not redistribute without losing access to updated versions of the patch, arguably violating the GPL. OpenPaX changes all that for the better.”

OpenPaX is a Linux kernel patch and alternative to the original PaX patch (now distributed as part of grsecurity) on modern hardware for system administrators who need to provide a layer of defense against memory safety-related vulnerabilities. The Linux kernel community also gains access to an open source hardening patch set and some features of OpenPaX will be upstreamed as appropriate.

The introduction of OpenPaX is good news for Linux distros. Alpine Linux, for example, will return to shipping a PaX-enabled kernel in 3.21 as a technical preview. Further integration will happen in Alpine 3.22.

OpenPaX is available for free on GitHub.