Intel Open-Source Developer Has Been Working On "FGKASLR" For Better Kernel Security

Written by Michael Larabel in Intel on 6 February 2020 at 07:13 AM EST. 6 Comments
INTEL
As another step towards tightening up the Linux kernel security, Intel's Kristen Carlson Accardi has proposed "FGKASLR" as a significant step forward for better enhancing the Kernel Address Space Layout Randomization.

The Linux kernel has employed kernel address space layout randomization (KASLR) since 2005 for fending off possible exploits that rely upon jumping to known positions within memory. While KASLR makes memory addresses for the kernel less predictable, attackers could still ultimately determine the base address of the kernel through enough guessing or leaking kernel addresses. But in aiming to make KASLR more effective, Kristen Carlson Accardi has proposed finer grained kernel address space randomization, or FGKASLR for short.

FGKASLR applies function reordering on top of the KASLR base address randomization to make relative addresses within the kernel less predictable. This function reordering is done at boot time and thus adds about an extra second of latency when booting up the system.

There is also the possibility of performance hits from FGKASLR, "Using kcbench, a kernel compilation benchmark, the performance of a kernel build with finer grained KASLR was about 1% slower than a kernel with standard KASLR. Analysis with perf showed a slightly higher percentage of L1-icache-load-misses. Other workloads were examined as well, with varied results. Some workloads performed significantly worse under FGKASLR, while others stayed the same or were mysteriously better. In general, it will depend on the code flow whether or not finer grained KASLR will impact your workload, and how the underlying code was designed."

The request for comments on this new FGKASLR functionality can be found via this mailing list post.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week