FGKASLR Patches Revised A 10th Time For Improving Linux Kernel Security

Written by Michael Larabel in Linux Security on 14 February 2022 at 05:32 AM EST. Add A Comment
LINUX SECURITY
Last week marked the tenth iteration of the "FGKASLR" Linux patches for providing per-function kernel address space layout randomization support.

It was nearly two years ago to the day that FGKASLR was first published and it continues to be refined and now up to the "v10" patches while hopefully will make it mainline in the not too distant future. While Kernel Address Space Layout Randomization (KASLR) has been supported by the Linux kernel for a decade and a half to protecting against exploits that rely upon knowing known positions within memory, it isn't entirely effective. Through guessing addresses or accidental leakage of the base kernel address, KASLR can become less effective and that is what FGKASLR looks to address.

Finer-Grained KASLR (also referred to as Function Granular KASLR) provides function reordering on top of the KASLR base address randomization. In turn knowing function locations within system memory even if having the base address makes it harder to predict. The random function reordering is applied at boot-time.

FGKASLR does add some small amount of latency to the Linux boot time due to that dynamic function reordering. The run-time performance impact of FGKASLR can vary by workload due to the possibility of slightly higher cache misses.

The FGKASLR v10 patches re-base the series atop the latest Linux Git code and have a number of smaller technical changes/improvements throughout the patch series.

Those interested in checking out the latest on FGKASLR can see the v10 patch series from Intel's Alexander Lobakin via the kernel mailing list.
Add A Comment
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries