Linux Security Feature Revised For Randomizing The Kernel Stack Offset At Each System Call

Written by Michael Larabel in Linux Security on 8 April 2020 at 11:02 AM EDT. 6 Comments
LINUX SECURITY
Patches have been revised for allowing Linux to support kernel stack base address offset randomization for each system call.

This feature is designed for preventing various stack-based attacks that rely upon a known layout of the stack structure. With these patches and enabling the feature, the stack offset would be randomized on each system call so the layout changes for each syscall.

The PaX/GrSecurity folks previously implemented a "RANDKSTACK" feature for which this upstream work is based on their idea but with a different implementation approach.

The downside to randomizing the kernel stack offset for each system call is the performance overhead. Tests with a no-op system call found the added overhead to be just under 1%, but we'll see how the real-world performance is impacted in due course.

Besides the Kconfig switch, this feature will be toggle-able at boot time using the randomize_kstack_offset=on/off switch.

Google's Kees Cook sent out the new patch series. This work for upstream was previously talked about but not mainlined yet. This work has been revised now that there are multiple known public attack methods relying upon stack determinism for success.

This latest kernel stack randomization per-system-call is still left to be reviewed and thus too late for seeing in Linux 5.7 with its merge window closing this weekend but perhaps we'll see this security feature readied for Linux 5.8.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week