Intel Open-Source Developer Has Been Working On "FGKASLR" For Better Kernel Security

Written by Michael Larabel in Intel on 6 February 2020 at 07:13 AM EST. 6 Comments
INTEL
As another step towards tightening up the Linux kernel security, Intel's Kristen Carlson Accardi has proposed "FGKASLR" as a significant step forward for better enhancing the Kernel Address Space Layout Randomization.

The Linux kernel has employed kernel address space layout randomization (KASLR) since 2005 for fending off possible exploits that rely upon jumping to known positions within memory. While KASLR makes memory addresses for the kernel less predictable, attackers could still ultimately determine the base address of the kernel through enough guessing or leaking kernel addresses. But in aiming to make KASLR more effective, Kristen Carlson Accardi has proposed finer grained kernel address space randomization, or FGKASLR for short.

FGKASLR applies function reordering on top of the KASLR base address randomization to make relative addresses within the kernel less predictable. This function reordering is done at boot time and thus adds about an extra second of latency when booting up the system.

There is also the possibility of performance hits from FGKASLR, "Using kcbench, a kernel compilation benchmark, the performance of a kernel build with finer grained KASLR was about 1% slower than a kernel with standard KASLR. Analysis with perf showed a slightly higher percentage of L1-icache-load-misses. Other workloads were examined as well, with varied results. Some workloads performed significantly worse under FGKASLR, while others stayed the same or were mysteriously better. In general, it will depend on the code flow whether or not finer grained KASLR will impact your workload, and how the underlying code was designed."

The request for comments on this new FGKASLR functionality can be found via this mailing list post.
6 Comments
Related News
Intel Talks Up Their Latest Compiler Toolchain Enhancements For AVX10.1, AMX & More
Rework For Intel CPU Model Handling To Land With Linux 6.10
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Linux Mint Looks To Fork More GNOME Software, Make XApp More Independent
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Microsoft Updates Cascadia Code: Its Open-Source Font For Developers
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Ubuntu 24.04 LTS Downloads Now Available