On this page
Kernel Hardening
Coverage: KASLR → stack protector → KPTI → KASAN/KMSAN/UBSAN → FORTIFY_SOURCE → lockdown → seccomp → SLAB_FREELIST_RANDOM → init_on_free Kernel versions: 2.6 ~ 6.x
Address Space Layout Randomization: KASLR
Randomize the base address of kernel code/data/modules at boot:
→ ROP/JOP attacks require knowing gadget addresses → without base address → harder
Implementation: arch/x86/boot/compressed/kaslr.c
Select random base address during bootloader stage → decompress relocated kernel
kptr_restrict: Restricts /proc/kallsyms from leaking kernel addresses
/proc/sys/kernel/kptr_restrict = 2 → non-root users see all zeros
Stack Protector
// CONFIG_STACKPROTECTOR: Compiler inserts a canary into the stack frame of each function
// gcc: -fstack-protector-strong
// → Protects: Functions containing local arrays or taking addresses of local variables
// If canary is overwritten → stack overflow → __stack_chk_fail() → panic
// kernel/stackleak.c (optional): More thorough stack clearing
// Erase used stack space before returning from each syscall
// → Prevents stack information leakage (e.g., uninitialized local variables)
KPTI: Meltdown Defense
2018 Meltdown Vulnerability:
CPU does not check page table U/S bit during speculative execution → user space reads kernel memory
KPTI (Kernel Page Table Isolation):
Each process has two page tables:
Kernel mode: Full mapping (user + kernel)
User mode: Minimal (user + trampoline)
→ Speculative access to kernel memory is impossible in user mode
Performance cost: ~5%~30% (syscall-intensive), partially mitigated by PCID
Modern CPUs (Cascade Lake+, Zen2+): Hardware fix, KPTI automatically disabled
Sanitizers: Runtime Error Detection
// KASAN (Kernel Address Sanitizer):
// Detects: out-of-bounds, use-after-free, double-free
// Based on shadow memory (compile-time instrumentation)
// Overhead: ~1.5-2x slower, debug kernel only
// KMSAN (Kernel Memory Sanitizer):
// Detects: Use of uninitialized memory
// Heavier than KASAN (~3x), development use only
// UBSAN (Undefined Behavior Sanitizer):
// Detects: Integer overflow, shift out-of-bounds, null pointer dereference
// Low overhead, can be enabled in production (CONFIG_UBSAN_BOUNDS)
FORTIFY_SOURCE
// Replaces memcpy/strcpy/sprintf at compile time:
// If boundary information is available → generates checked calls
// Compile-time known out-of-bounds → compilation fails
// Runtime out-of-bounds → BUG() (does not return an error)
//
// Similar to user-space FORTIFY_SOURCE, but covers more functions
Kernel Lockdown
After UEFI Secure Boot is enabled:
→ Kernel lockdown automatically activates (integrity mode)
→ Prohibits:
- /dev/mem, /dev/kmem (memory read/write)
- ioport access
- kexec (loading unsigned kernels)
- BPF writing to kernel memory
- ACPI table override
/proc/sys/kernel/lockdown:
none / integrity / confidentiality
seccomp
// prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)
// Restricts the syscalls a process can call (irreversible)
// BPF Filter:
// Checks syscall number + arguments → ALLOW / DENY / KILL / TRAP
// Used by Chromium, Docker, systemd
// SECCOMP_RET_USER_NOTIF (5.0+):
// Decision not made in kernel → notifies user-space supervisor process
// E.g., Container manager approves/rejects certain syscalls
Other Hardening Options
# Zero on release:
CONFIG_INIT_ON_FREE_DEFAULT_ON=y # Freed slab objects → zeroed (prevents UAF info leak)
# Slab freelist randomization:
CONFIG_SLAB_FREELIST_RANDOM=y # Randomize slab freelist pointer order (prevents heap exploits)
# Hardened user memory copy:
CONFIG_HARDENED_USERCOPY=y # Validates usercopy source/destination are within valid heap/slab regions
# Stack randomization (already present, per-process):
References
- Source Code:
security/lockdown/,kernel/seccomp.c,mm/kasan/,lib/ubsan.c - Kernel Documentation:
Documentation/admin-guide/kernel-parameters.txt - LWN: "Kernel address space layout randomization", "The kernel lockdown patches"
Keywords: KASLR, stack protector, KPTI, KASAN, FORTIFY_SOURCE, lockdown, seccomp, init_on_free