tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kernel aslr: someone interested?

Le 24/03/2017 à 23:13, Joerg Sonnenberger a écrit :
On Thu, Mar 23, 2017 at 06:30:31PM +0100, Maxime Villard wrote:
I have some plans to implement kernel aslr on amd64.

For what purpose? It has been shown over and over again that ASLR simply
doesn't work in a lot of situations in userland. The situation for
kernel ASLR is significantly worse.

But it does not alter the fact that each situation is being fixed. When
it comes to kernel ASLR, five years ago a lot of people could have said
that the number of bits available to randomize the VA space is too small,
that several unprivileged instructions leak some memory locations, that
cache latency gives hints about where the kernel text is, etc.

Verily, 5-level page trees with higher entropy will be introduced by Intel
soon, the instructions that leak kernel addresses can be made privileged
(UMIP), cache issues are being fixed; and in short, I wouldn't be surprised
if in five years other features appear that make ASLR even more interesting
and faster than static code.

I would also add - even if it is not a relevant argument - that most
"commonly-used" operating systems do have kernel aslr: Windows, Mac, Linux,

From a security standpoint ...

It does make many bugs harder to exploit. The security advisory that was
published yesterday for example (about a privilege escalation bug in Xen)
would have been a lot more difficult to exploit if the kernel VA had been
randomized; currently you only need to readelf the kernel, get the address
of the sysent structure, and simply patch it.

If you look for, you can see in the Vault7 leak that the CIA was trying to
disassemble a custom NetBSD kernel to see where the text segment is
located in memory; so it's not like no one gives a damn about kernel aslr.

... it doesn't seem to be worth the effort.

Well, I've already made most of the effort required, I'm just stuck with
makefiles and toolchains. If really no one is interested in that,
developing my prekern has been at least an interesting technical challenge.

Home | Main Index | Thread Index | Old Index