Linux Security Feature Revised For Randomizing The Kernel Stack Offset At Each System Call
Patches have been revised for allowing Linux to support kernel stack base address offset randomization for each system call.
This feature is designed for preventing various stack-based attacks that rely upon a known layout of the stack structure. With these patches and enabling the feature, the stack offset would be randomized on each system call so the layout changes for each syscall.
The PaX/GrSecurity folks previously implemented a "RANDKSTACK" feature for which this upstream work is based on their idea but with a different implementation approach.
The downside to randomizing the kernel stack offset for each system call is the performance overhead. Tests with a no-op system call found the added overhead to be just under 1%, but we'll see how the real-world performance is impacted in due course.
Besides the Kconfig switch, this feature will be toggle-able at boot time using the randomize_kstack_offset=on/off switch.
Google's Kees Cook sent out the new patch series. This work for upstream was previously talked about but not mainlined yet. This work has been revised now that there are multiple known public attack methods relying upon stack determinism for success.
This latest kernel stack randomization per-system-call is still left to be reviewed and thus too late for seeing in Linux 5.7 with its merge window closing this weekend but perhaps we'll see this security feature readied for Linux 5.8.
This feature is designed for preventing various stack-based attacks that rely upon a known layout of the stack structure. With these patches and enabling the feature, the stack offset would be randomized on each system call so the layout changes for each syscall.
The PaX/GrSecurity folks previously implemented a "RANDKSTACK" feature for which this upstream work is based on their idea but with a different implementation approach.
The downside to randomizing the kernel stack offset for each system call is the performance overhead. Tests with a no-op system call found the added overhead to be just under 1%, but we'll see how the real-world performance is impacted in due course.
Besides the Kconfig switch, this feature will be toggle-able at boot time using the randomize_kstack_offset=on/off switch.
Google's Kees Cook sent out the new patch series. This work for upstream was previously talked about but not mainlined yet. This work has been revised now that there are multiple known public attack methods relying upon stack determinism for success.
This latest kernel stack randomization per-system-call is still left to be reviewed and thus too late for seeing in Linux 5.7 with its merge window closing this weekend but perhaps we'll see this security feature readied for Linux 5.8.
6 Comments