tech-kern archive

Re: amd64: kernel aslr support

To : tech-kern%NetBSD.org@localhost

: Subject : Re: amd64: kernel aslr support

: From : Maxime Villard <max%m00nbsd.net@localhost>

: Date: Tue, 14 Nov 2017 15:43:09 +0100

Le 04/10/2017 à 21:00, Maxime Villard a écrit :

Here is a Kernel ASLR implementation for NetBSD-amd64. [...] Known issues: * Right now, the kernel segments are contiguous. Starting from this implementation, it wouldn't be really difficult to randomize the segments independently - adding gaps between them and changing their order too. Then, we could split the segments themselves in sub-blocks and intertwine them. [...]

So, I did it. Now the kernel sections are split in sub-blocks, and are all randomized independently. See my drawing [1]. What it means in practice, is that Kernel ASLR is much more difficult to defeat: a cache attack will at most allow you to know that a given range is mapped as executable for example, but you don't know which sub-block of .text it is; a kernel pointer leak will at most allow you to reconstruct the layout of one sub-block, but you don't know the layout and address of the remaining blocks, and there can be many. The size and number of these blocks is controlled by the split-by-file parameter in Makefile.amd64. Right now it is set to 2MB, which produces a kernel with ~23 allocatable (ie useful at runtime) sections, which is a third of the total number supported (BTSPACE_NSEGS = 64). I will probably reduce this parameter a bit in the future, to 1.5MB, or even 1MB. All of that leaves us with about the most advanced KASLR implementation available out there. There are ways to improve it even more, but you'll have to wait a few weeks for that. If you want to try it out you need to make sure you have the latest versions of GENERIC_KASLR / prekern / bootloader. The instructions are still here [2], and haven't changed. Maxime [1] http://mail-index.netbsd.org/source-changes/2017/11/14/msg089697.html [2] http://m00nbsd.net/542a5cfd448aaf7db7adcadce74123d2.html