Articles & Reviews
News Archive
Forums
Premium
Contact
Categories

Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals

FGKASLR Revved For Improving Linux Kernel Security

Written by Michael Larabel in Linux Security on 23 July 2020 at 01:34 PM EDT. 10 Comments

LINUX SECURITY

Intel open-source developer Kristen Carlson Accardi continues work on Function Granular Kernel Address Space Layout Randomization (FGKASLR) as a big improvement over traditional KASLR address space layout randomization.

FGKASLR was originally published earlier this year, 15 years after the debut of KASLR for randomizing the base address of the running kernel. With FGKASLR, individual kernel functions are reordered so that even if the kernel's randomized based address is revealed, an attacker still wouldn't know the location in memory of particular kernel functions as the relative addresses will be different.

FGKASLR reorders the functions at boot time and is a further improvement to Linux security for attacks that require known positions within the kernel memory. Our FGKASLR benchmarks have shown around a 4% performance hit for this added security on top of KASLR.

Kristen last week sent out v4 of FGKASLR. This new version has various code improvements, documents the fgkaslr boot option that can be used for disabling the functionality at boot time, and re-engineers the patch to hide the new address space layout when reading /proc/kallsyms.

Hopefully FGKASLR will make it into the mainline kernel in the near future.

10 Comments

Related News

New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable

Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck

OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch

Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS

Landlock Sandboxing Now Supports More Controls Around Unix Sockets

Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations

About The Author

Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week

OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts

Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels

How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs

Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd

Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal

COSMIC Alpha 4 Released For System76's Rust-Based Desktop

GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd

KDE Starts December By Landing A Number Of New Features