Linux 5.13 Poised To Allow Randomizing Kernel Stack Offset At Each System Call

Written by Michael Larabel in Linux Security on 9 April 2021 at 03:00 AM EDT. 5 Comments
LINUX SECURITY
The ability to randomize the kernel stack offset at each system call looks like it will land for the upcoming Linux 5.13 cycle. This optional feature makes it much more difficult to carry out stack-based attacks on the Linux kernel.

Back in 2019 was a proposal by Intel engineer Elena Reshetova to allow randomizing the kernel stack offset upon each system call. This code was inspired originally by PaX's RANDKSTACK feature to enhance the kernel security against exploits relying upon kernel stack determinism. Google engineer Kees Cook ended up taking over this effort and after ten rounds of code review it looks like the code is on deck for Linux 5.13.

This work allows for optionally randomizing the kernel stack offset at each system call. The functionality can be controlled at boot with the randomize_kstack_offset= option with accepted values of on/off. ARM64 and x86/x86_64 are the initial CPU architectures supporting this feature.

Running with this option enabled should make it more difficult to carry out stack-based attacks thanks to the offset being randomized on each system call. The feature though is off by default as it causes roughly a 1% overhead at least on x86_64.

These patches were queued on Thursday into the tip.git's x86/entry branch and thus appear like they will be on the table for the Linux 5.13 merge window when it opens later this month. More benchmarks as to the real-world performance costs will come once the code has formally landed in the mainline kernel.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week