NetBSD, OpenBSD improve kernel security, randomly
Q: 'Where in memory did you put that kernel?' A: 'Sorry, I have no idea'
The folks at NetBSD have released their first cut of code to implement kernel ASLR – Address Space Layout Randomisation – for 64-bit AMD processors.
The KASLR release randomises where the NetBSD kernel loads in memory, giving the kernel the same security protections that ASLR gives applications.
Randomising code's memory location makes it harder to exploit bug classes like buffer overruns, since an attacker can't easily predict (and access) the memory location exposed by the bug.
As developer Maxime Villard explains, the current implementation puts a specialised kernel, “prekern”, between the bootloader and the kernel.
“The kernel is compiled as a raw library with the GENERIC_KASLR configuration file, while the prekern is compiled as a static binary. When the machine boots, the bootloader jumps into the prekern. The prekern relocates the kernel at a random virtual address (VA), and jumps into it. Finally, the kernel performs some cleanup, and executes normally.”
Villard adds that the implementation is incomplete: for example, wherever the kernel is put by prekern, it lands in a contiguous block of memory.
That makes the direction of future development pretty obvious, with the main items being:
- Randomise the kernel sections independently, and intertwine them;
- Modify several kernel entry points not to leak kernel addresses to userland;
- Randomise the kernel heap too (which is still static for now).”
The OpenBSD project offered its first look at a similar approach back in June, referred to as KARL (kernel address randomised links).
That effort became mainstream early this month in OpenBSD 6.2. ®