NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from NetBSD 9.0.
Installation
Install the prekern:
# cp /usr/mdec/prekern /
Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from the NetBSD FTP server, for example on:
https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz
Or compiled from scratch, using:
# cd /usr/src # ./build.sh kernel=GENERIC_KASLR
Extract this KASLR kernel, and install it:
# cp /path/to/your/kaslr/kernel /netbsd_kaslr
Finally, add the following line in the /boot.cfg file:
Now the installation is complete.
Use
To use KASLR, just choose the "Boot KASLR" option in the menu at boot time. That's it! You are now using Kernel ASLR.
Technical Details
"Kernel ASLR" means randomizing the location of the kernel memory areas. By default, in GENERIC, all areas are already randomized except one: the Kernel Image.
The GENERIC_KASLR configuration provides randomization of this additional area.
Therefore, it should be understood that GENERIC actually provides 80% of KASLR, and GENERIC_KASLR covers the remaining 20%.
Table of what gets randomized:
| Memory Region | GENERIC | GENERIC_KASLR | Xen dom0/domU |
|---|---|---|---|
| Userland | Yes | Yes | Yes |
| PTE Area | Yes | Yes | No |
| Main Kernel Memory | Yes | Yes | Yes |
| Direct Map | Yes | Yes | [Not Applicable] |
| PCPU Area | [Not Applicable] | [Not Applicable] | [Not Applicable] |
| Kernel Image | No | Yes | No |
Technical Resources
- NetBSD.org: Kernel ASLR on amd64
- NetBSD.org: The strongest KASLR, ever?