[BACK]Return to kaslr.mdwn CVS log [TXT] [DIR] Up to [NetBSD Developer Wiki] / wikisrc / security

Diff for /wikisrc/security/kaslr.mdwn between versions 1.1 and 1.5

version 1.1, 2018/08/02 17:24:41 version 1.5, 2020/02/14 06:37:24
Line 16  Obtain a GENERIC_KASLR kernel. Such a ke Line 16  Obtain a GENERIC_KASLR kernel. Such a ke
 the NetBSD FTP server, for example on:  the NetBSD FTP server, for example on:
   
 [[!template id=programlisting text="""  [[!template id=programlisting text="""
 http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/201808020450Z/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz  https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
 """]]  """]]
   
 Or compiled from scratch, using:  Or compiled from scratch, using:
Line 26  Or compiled from scratch, using: Line 26  Or compiled from scratch, using:
 # ./build.sh kernel=GENERIC_KASLR  # ./build.sh kernel=GENERIC_KASLR
 """]]  """]]
   
 Install this KASLR kernel:  Extract this KASLR kernel, and install it:
   
 [[!template id=programlisting text="""  [[!template id=programlisting text="""
 # cp /path/to/your/kernel /netbsd_kaslr  # cp /path/to/your/kaslr/kernel /netbsd_kaslr
 """]]  """]]
   
 Finally, add the following line in the `/boot.cfg` file:  Finally, add the following line in the `/boot.cfg` file:
Line 44  Use Line 44  Use
 ---  ---
   
 To use KASLR, just choose the "Boot KASLR" option in the menu at boot  To use KASLR, just choose the "Boot KASLR" option in the menu at boot
 time. That's it!  time. That's it! You are now using Kernel ASLR.
   
   Technical Details
   -----------------
   
   "Kernel ASLR" means randomizing the location of the kernel memory areas.
   By default, in GENERIC, all areas are already randomized except one: the
   Kernel Image.
   
   The GENERIC_KASLR configuration provides randomization of this additional
   area.
   
   Therefore, it should be understood that GENERIC actually provides 80% of
   KASLR, and GENERIC_KASLR covers the remaining 20%.
   
   Table of what gets randomized:
   
   [[!table data="""
   Memory Region           |GENERIC                |GENERIC_KASLR          |Xen dom0/domU
   Userland                |Yes                    |Yes                    |Yes
   PTE Area                |Yes                    |Yes                    |No
   Main Kernel Memory      |Yes                    |Yes                    |Yes
   Direct Map              |Yes                    |Yes                    |[Not Applicable]
   PCPU Area               |[Not Applicable]       |[Not Applicable]       |[Not Applicable]
   Kernel Image            |No                     |Yes                    |No
   """]]
   
 Technical Resources  Technical Resources
 -------------------  -------------------
   
 * NetBSD.org: [Kernel ASLR on amd64](http://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)  * NetBSD.org: [Kernel ASLR on amd64](https://blog.netbsd.org/tnf/entry/kernel_aslr_on_amd64)
 * NetBSD.org: [The strongest KASLR, ever?](http://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)  * NetBSD.org: [The strongest KASLR, ever?](https://blog.netbsd.org/tnf/entry/the_strongest_kaslr_ever)
   
Removed from v.1.1  
changed lines
  Added in v.1.5

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb