13

I know all about how ASLR works, and how it has been implemented on both Linux and Windows systems. It provides an extra layer of protection that malware has to take into account. But nowadays with computers being left on for long periods of time ASLR doesn't seem to randomize the address space as much as we would like. Windows 8 has taken extra steps to ensure that ASLR is effective.

I just found out about kernel level ASLR when I built and upgraded my Linux kernel, and noticed that on boot it said:

KASLR not enabled

After doing some searching I didn't find that much on KASLR in general. So now I'm curious if anyone here has experience with it.

  1. Is KASLR worth it? Does it provide a significant advantage? I would have to rebuilt my kernel, configure it for KASLR and all that jazz. Not terrible, but slightly annoying.
  2. Does this exist in the Windows world? If so, does Windows do a better job at its implementation?

Or maybe the world just isn't ready for it yet...

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83

1 Answers1

7

KASLR has gotten under heavy critic on the day it was released for Linux, and it has also been defeated on that very day. Spender at grsecurity has written a post about it (along with LWN comments) which I'll only summarize in a simplistic way. I highly encourage reading the original source.

Address Space Layout Randomisation was originally applied to complicate exploits, as we all know, by randomising the position of a lot of pointers on the stack. Defeating ASLR requires either of:

  • bruteforcing until you accidentally find the correct random address (which requires re-launching the app and barely ever applies to KASLR)
  • retrieving pointers that leak information about the memory layout

The second option is very promising for kernels: they can't have too much of a large random offset because some hardware configurations might have a limited address space, and most importantly kernels can't change their offset throughout their entire life cycle! This means a single memory layout leak will defeat KASLR until the machine is rebooted. It turns out that this kind of bug is said to happen pretty often by Spender.

This is exactly why Linux KASLR is weak, and even "a failure" according to Spender. The mechanism was not intended for kernels. Do read his article if you want more details. He does speak about other implementations and you should understand from the points made above that it is not the implementations only that are weak, but rather the design. KASLR needs a lot more care in how it is implemented than traditional ASLR because the conditions for exploitation are much more favourable.

Edit: and apparently you're just a Google search away from knowing how to exploit the Windows KASLR implementation.

forest
  • 64,616
  • 20
  • 206
  • 257
Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45