FGKASLR Revved For Improving Linux Kernel Security

Intel open-source developer Kristen Carlson Accardi continues work on Function Granular Kernel Address Space Layout Randomization (FGKASLR) as a big improvement over traditional KASLR address space layout randomization.

FGKASLR was originally published earlier this year, 15 years after the debut of KASLR for randomizing the base address of the running kernel. With FGKASLR, individual kernel functions are reordered so that even if the kernel's randomized based address is revealed, an attacker still wouldn't know the location in memory of particular kernel functions as the relative addresses will be different.

FGKASLR reorders the functions at boot time and is a further improvement to Linux security for attacks that require known positions within the kernel memory. Our FGKASLR benchmarks have shown around a 4% performance hit for this added security on top of KASLR.

Kristen last week sent out v4 of FGKASLR. This new version has various code improvements, documents the fgkaslr boot option that can be used for disabling the functionality at boot time, and re-engineers the patch to hide the new address space layout when reading /proc/kallsyms.

Hopefully FGKASLR will make it into the mainline kernel in the near future.