Re: kernel aslr: someone interested?

To: tech-kern%netbsd.org@localhost
Subject: Re: kernel aslr: someone interested?
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 25 Mar 2017 09:20:14 +0100

Le 24/03/2017 à 23:13, Joerg Sonnenberger a écrit :

On Thu, Mar 23, 2017 at 06:30:31PM +0100, Maxime Villard wrote:

I have some plans to implement kernel aslr on amd64.


For what purpose? It has been shown over and over again that ASLR simply
doesn't work in a lot of situations in userland. The situation for
kernel ASLR is significantly worse.


But it does not alter the fact that each situation is being fixed. When
it comes to kernel ASLR, five years ago a lot of people could have said
that the number of bits available to randomize the VA space is too small,
that several unprivileged instructions leak some memory locations, that
cache latency gives hints about where the kernel text is, etc.

Verily, 5-level page trees with higher entropy will be introduced by Intel
soon, the instructions that leak kernel addresses can be made privileged
(UMIP), cache issues are being fixed; and in short, I wouldn't be surprised
if in five years other features appear that make ASLR even more interesting
and faster than static code.

I would also add - even if it is not a relevant argument - that most
"commonly-used" operating systems do have kernel aslr: Windows, Mac, Linux,
etc.

From a security standpoint ...


It does make many bugs harder to exploit. The security advisory that was
published yesterday for example (about a privilege escalation bug in Xen)
would have been a lot more difficult to exploit if the kernel VA had been
randomized; currently you only need to readelf the kernel, get the address
of the sysent structure, and simply patch it.

If you look for, you can see in the Vault7 leak that the CIA was trying to
disassemble a custom NetBSD kernel to see where the text segment is
located in memory; so it's not like no one gives a damn about kernel aslr.

... it doesn't seem to be worth the effort.


Well, I've already made most of the effort required, I'm just stuck with
makefiles and toolchains. If really no one is interested in that,
developing my prekern has been at least an interesting technical challenge.

Follow-Ups:
- Re: kernel aslr: someone interested?
  - From: Thor Lancelot Simon
- Re: kernel aslr: someone interested?
  - From: Joerg Sonnenberger
- Re: kernel aslr: someone interested?
  - From: Greg Troxel

References:
- kernel aslr: someone interested?
  - From: Maxime Villard
- Re: kernel aslr: someone interested?
  - From: Joerg Sonnenberger

Prev by Date: Re: kernel aslr: someone interested?
Next by Date: Re: kernel aslr: someone interested?
Previous by Thread: Re: kernel aslr: someone interested?
Next by Thread: Re: kernel aslr: someone interested?
Indexes:

Home | Main Index | Thread Index | Old Index