NetBSD security improved with the implementation of kernel ASLR (KASLR)

Pierluigi Paganini October 23, 2017

The development team at NetBSD is going to implement the KASLR (kernel Address Space Layout Randomisation) for 64-bit AMD processors.

The KASLR coding technique allows randomizing the location of memory where the NetBSD kernel is loaded. The ASRL technique is widely adopted as a security measure to protect applications from the exploitation of vulnerabilities like buffer overflow because it is impossible for the attacker to predict the memory location that could be used to inject malicious code.

The current design decouples the bootloader and the kernel with an additional layer dubbed “prekern.”

“The current design is based on a specialized kernel called the “prekern“, which operates between the bootloader and the kernel itself. The kernel is compiled as a raw library with the GENERIC_KASLR configuration file, while the prekern is compiled as a static binary.” explained the developer Maxime Villard.

“When the machine boots, the bootloader jumps into the prekern. The prekern relocates the kernel at a random virtual address (VA), and jumps into it. Finally, the kernel performs some cleanup, and executes normally.”

netbsd KASLR

The implementation is still incomplete, Villard anticipated the future work:

  • Randomise the kernel sections independently, and intertwine them;
  • Modify several kernel entry points not to leak kernel addresses to userland;
  • Randomise the kernel heap too (which is still static for now).”

All of the patches are already available in the current NetBSD, the post written by the developer also includes a link to the instructions on how to install and use this implementation.

This KASLR implementation will be available starting from NetBSD 9.

“Once it is stabilized, it may be backported to NetBSD 8. Until then, feel free to test it!”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – NetBSD , KASLR)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment