FGKASLR Revised For Better Linux Security Via Enhanced Address Space Randomization
One of many high profile features that didn't make it in time for Linux 5.8 is FGKASLR, Function Granular Kernel Address Space Layout Randomization.
Intel's Kristen Carlson Accardi sent out the original FGKASLR patches back in February for enhancing kernel security by providing address space layout randomization on a function level rather than just changing out the base address of the kernel. Function reordering is used on top of KASLR to make relative addresses within the kernel far less predictable. This reordering is done at boot time.
Function Granular Kernel Address Space Layout Randomization is great for improving the kernel security but it can impact the performance besides slightly longer boot times. Reported benchmark results with FGKASLR were mixed while we still have our own plans to benchmark the patches on our ever long TODO list.
Sent out on Tuesday by Kristen were the v3 patches for this functionality. She has been improving the commit messages / cover letter / documentation and making various minor tweaks and code improvements.
See the mailing list thread for more details on the latest FGKASLR support. We'll see if this work gets tidied up in time for merging with Linux 5.9 later this summer. Hopefully in the coming days I'll find the time to run our benchmarks of it.
Intel's Kristen Carlson Accardi sent out the original FGKASLR patches back in February for enhancing kernel security by providing address space layout randomization on a function level rather than just changing out the base address of the kernel. Function reordering is used on top of KASLR to make relative addresses within the kernel far less predictable. This reordering is done at boot time.
Function Granular Kernel Address Space Layout Randomization is great for improving the kernel security but it can impact the performance besides slightly longer boot times. Reported benchmark results with FGKASLR were mixed while we still have our own plans to benchmark the patches on our ever long TODO list.
Sent out on Tuesday by Kristen were the v3 patches for this functionality. She has been improving the commit messages / cover letter / documentation and making various minor tweaks and code improvements.
See the mailing list thread for more details on the latest FGKASLR support. We'll see if this work gets tidied up in time for merging with Linux 5.9 later this summer. Hopefully in the coming days I'll find the time to run our benchmarks of it.
3 Comments