tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: amd64: kernel aslr support
Le 04/10/2017 à 21:00, Maxime Villard a écrit :
Here is a Kernel ASLR implementation for NetBSD-amd64.
[...]
Known issues:
* Right now, the kernel segments are contiguous. Starting from this
implementation, it wouldn't be really difficult to randomize the segments
independently - adding gaps between them and changing their order too.
Then, we could split the segments themselves in sub-blocks and intertwine
them.
[...]
So, I did it. Now the kernel sections are split in sub-blocks, and are all
randomized independently. See my drawing [1].
What it means in practice, is that Kernel ASLR is much more difficult to
defeat: a cache attack will at most allow you to know that a given range is
mapped as executable for example, but you don't know which sub-block of .text
it is; a kernel pointer leak will at most allow you to reconstruct the layout
of one sub-block, but you don't know the layout and address of the remaining
blocks, and there can be many.
The size and number of these blocks is controlled by the split-by-file
parameter in Makefile.amd64. Right now it is set to 2MB, which produces a
kernel with ~23 allocatable (ie useful at runtime) sections, which is a third
of the total number supported (BTSPACE_NSEGS = 64). I will probably reduce
this parameter a bit in the future, to 1.5MB, or even 1MB.
All of that leaves us with about the most advanced KASLR implementation
available out there. There are ways to improve it even more, but you'll have
to wait a few weeks for that.
If you want to try it out you need to make sure you have the latest versions
of GENERIC_KASLR / prekern / bootloader. The instructions are still here [2],
and haven't changed.
Maxime
[1] http://mail-index.netbsd.org/source-changes/2017/11/14/msg089697.html
[2] http://m00nbsd.net/542a5cfd448aaf7db7adcadce74123d2.html
Home |
Main Index |
Thread Index |
Old Index