NetBSD supports Kernel ASLR on x86 64bit CPUs (amd64), starting from NetBSD 9.0.

Installation

Install the prekern:

# cp /usr/mdec/prekern /

Obtain a GENERIC_KASLR kernel. Such a kernel can be either downloaded from the NetBSD FTP server, for example on:

https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.0_RC2/amd64/binary/kernel/netbsd-GENERIC_KASLR.gz

Or compiled from scratch, using:

# cd /usr/src
# ./build.sh kernel=GENERIC_KASLR

Extract this KASLR kernel, and install it:

# cp /path/to/your/kaslr/kernel /netbsd_kaslr

Finally, add the following line in the /boot.cfg file:

/boot.cfg

menu=Boot KASLR:rndseed /var/db/entropy-file;pkboot netbsd_kaslr

Now the installation is complete.

Use

To use KASLR, just choose the "Boot KASLR" option in the menu at boot time. That's it! You are now using Kernel ASLR.

Technical Details

"Kernel ASLR" means randomizing the location of the kernel memory areas. By default, in GENERIC, all areas are already randomized except one: the Kernel Image.

The GENERIC_KASLR configuration provides randomization of this additional area.

Therefore, it should be understood that GENERIC actually provides 80% of KASLR, and GENERIC_KASLR covers the remaining 20%.

Table of what gets randomized:

Memory Region GENERIC GENERIC_KASLR Xen dom0/domU
Userland Yes Yes Yes
PTE Area Yes Yes No
Main Kernel Memory Yes Yes Yes
Direct Map Yes Yes [Not Applicable]
PCPU Area [Not Applicable] [Not Applicable] [Not Applicable]
Kernel Image No Yes No

Technical Resources

Add a comment