October 12, 2017 posted byMaxime Villard
Recently, I completed a Kernel ASLR implementation for NetBSD-amd64, makingNetBSD the first BSD system to support such a feature. Simply said, KASLR is afeature that randomizes the location of the kernel in memory, making it harderto exploit several classes of vulnerabilities, both locally (privilegeescalations) and remotely (remote code executions).
Current design
The current design is based on a specialized kernel called the "prekern", whichoperates between the bootloader and the kernel itself. The kernel is compiledas a raw library with the GENERIC_KASLR configuration file, while the prekernis compiled as a static binary. When the machine boots, the bootloader jumpsinto the prekern. The prekern relocates the kernel at a random virtual address(VA), and jumps into it. Finally, the kernel performs some cleanup, and executesnormally.
Currently, the kernel is randomized as a single block. That is to say, a randomVA is chosen, and the kernel text->rodata->data sections are mappedcontiguously starting from there. It has several drawbacks, but it's a firstshot.
To complete this implementation, work had to be done at three levels: thebootloader, the prekern and the kernel. I committed several of the kernel andbootloader patches discreetly a few months ago, to pave some way for realchanges. In the past few weeks, I changed the low-level x86 layer of the kerneland replaced several hard-coded (and sometimes magic) values by variables, insuch a way that the kernel can run with a non-static memory layout. Finally, thelast step was committing the prekern itself to the source tree.
Future work
- Randomize the kernel sections independently, and intertwine them.
- Modify several kernel entry points not to leak kernel addresses to userland.
- Randomize the kernel heap too (which is still static for now).
- Fix a few other things that need some more work.
How to use
All of the patches are now in NetBSD-current. Instructions on how toinstall and use this implementation can be foundhere;they are inlined below, and probably won't change in the future.
Make sure you have a v5.11 bootloader installed. If you don't, build and installa new bootloader:
$ cd /usr/src/sys/arch/i386/stand/boot $ make # cp biosboot/boot /
Build and install a KASLR kernel:
$ cd /usr/src $ ./build.sh -u kernel=GENERIC_KASLR # cp /usr/obj/sys/arch/amd64/compile/GENERIC_KASLR/netbsd /netbsd_kaslr
Finally, build and install a prekern:
$ cd /usr/src/sys/arch/amd64/stand/prekern $ make # cp prekern /prekern
Reboot your machine. In the boot prompt, enter:
> pkboot netbsd_kaslr
The system will boot with no further user interaction. Should you encounterany regression or unexpected behavior, please report it immediatelyto tech-kern.
Note that you can still boot a static kernel, by typing as usual:
> boot netbsd
Availability
This KASLR implementation will be available starting from NetBSD 9. Once it isstabilized, it may be backported to NetBSD 8. Until then, feel free to test it!
[0 comments]
![[NetBSD Logo]](/image.pl?url=https%3a%2f%2fweb.archive.org%2fweb%2f20171016175156im_%2fhttps%3a%2f%2fblog.netbsd.org%2ftnf%2fresource%2fNetBSD-headerlogo.png&f=jpg&w=240)
