NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from NetBSD 9.0.

Installation

Install the prekern:

# cp /usr/mdec/prekern /

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from the NetBSD FTP server, for example on:

http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201808020450Z/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz

Or compiled from scratch, using:

# cd /usr/src
# ./build.sh kernel=GENERIC_KASLR

Install this KASLR kernel:

# cp /path/to/your/kernel /netbsd_kaslr

Finally, add the following line in the /boot.cfg file:

/boot.cfg

menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr

Now the installation is complete.

Use

To use KASLR, just choose the "Boot KASLR" option in the menu at boot time. That's it!

Technical Details

Kernel ASLR is applied by default in GENERIC on as many VM areas as possible. GENERIC_KASLR offers randomization of one more area: the Kernel Image.

Table of what gets randomized:

Memory Region GENERIC GENERIC_KASLR Xen dom0/domU
Userland Yes Yes Yes
PTE Area Yes Yes No
Main Kernel Memory Yes Yes Yes
Direct Map Yes Yes [Not Applicable]
PCPU Area [Not Applicable] [Not Applicable] [Not Applicable]
Kernel Image No Yes No

Technical Resources

Add a comment