Benchmarking The Performance Overhead To Linux's Proposed FGKASLR Security Feature
One of the security improvements being worked on in recent months by Intel's open-source team has been FGKASLR. But how is the performance overhead compared to just traditional KASLR? Here are benchmarks looking at the performance impact of FGKASLR on top, just KASLR, and then no address space layout randomization.
FGKASLR is being worked on by Intel for improving Linux security with this Function Granular Kernel Address Space Layout Randomization. Rather than just randomizing the position in memory of the kernel, this FGKASLR patch series enables randomization at the function-level and used on top of KASLR. The reordering of kernel functions is done in memory at boot time. FGKASLR isn't anything specific to Intel CPUs but a common security feature that just happens to be worked on by Intel's large open-source team as one of the leading organizations contributing to the Linux kernel.
FGKASLR aims to better protect Linux systems for exploits/vulnerabilities relying upon known positions within memory and offer much more than just KASLR where exploits can still ultimately figure out the base address. But, of course, there is performance implications so here are benchmarks.
Using the recent FGKASLR v3 patch series I built the patched kernel atop the Linux 5.8 upstream sources and enabled FGKASLR. For this comparison the following configurations were tested:
No KASLR/FGKASLR - Booting the system with "nokaslr" that disables both KASLR and FGKASLR.
Just KASLR - Just the traditional kernel address space layout randomization enabled but FGKASLR disabled via the "fgkaslr=off" option.
FGKASLR Enabled - Both KASLR and FGKASLR being enabled as the default behavior on the patched kernel. FGKASLR isn't part of Linux 5.8 upstream and remains to be seen if it will get pulled into 5.9 or another near-term kernel series.
Running on an Intel Xeon Gold 5220R 2P server with Ubuntu 20.04 LTS, dozens of different benchmarks were carried out for looking at the overhead of both KASLR and the proposed FGKASLR via the Phoronix Test Suite.