Wednesday, August 28, 2019

Why Linux Kernel KASLR is not very effective

Recently, with more time on hand  I am reading about security in the Linux kernel. A common mode of attack on any program is using buffer overflow to implement return oriented programming (ROP) blobs. Return oriented programming is a mechanism of overwriting return addresses in a library to implement code blobs (or gadgets) that will perform the desired functionality.

A mechanism to decrease the ease with these buffer overflow attacks are implemented is by randomizing the address at which the stack is loaded. You can read more about this as a part of address space randomization on wikipedia. 

The crux of the post as to why the Kernel address space layour randomization (KASLR) does not work too well is because: 
  1. usually the places where the linux kernel runs (on embedded systems) there is not too much leeway for randomizing the location of the stack with the limited address space.
  2. Once the Kernel runs it cant dynamically change the location of the stack. Hence once the KASLR is broken through it remains broken until the system is rebooted.
You can read more on exploits with KASLR on the lwn website too.