On this page

Kernel Hardening

Coverage: KASLR → stack protector → KPTI → KASAN/KMSAN/UBSAN → FORTIFY_SOURCE → lockdown → seccomp → SLAB_FREELIST_RANDOM → init_on_free Kernel versions: 2.6 ~ 6.x

Address Space Layout Randomization: KASLR

Randomize the base address of kernel code/data/modules at boot:
  → ROP/JOP attacks require knowing gadget addresses → without base address → harder

Implementation: arch/x86/boot/compressed/kaslr.c
  Select random base address during bootloader stage → decompress relocated kernel

kptr_restrict: Restricts /proc/kallsyms from leaking kernel addresses
  /proc/sys/kernel/kptr_restrict = 2 → non-root users see all zeros

Stack Protector

// CONFIG_STACKPROTECTOR: Compiler inserts a canary into the stack frame of each function
// gcc: -fstack-protector-strong
//   → Protects: Functions containing local arrays or taking addresses of local variables
//   If canary is overwritten → stack overflow → __stack_chk_fail() → panic

// kernel/stackleak.c (optional): More thorough stack clearing
//   Erase used stack space before returning from each syscall
//   → Prevents stack information leakage (e.g., uninitialized local variables)

KPTI: Meltdown Defense

2018 Meltdown Vulnerability:
  CPU does not check page table U/S bit during speculative execution → user space reads kernel memory

KPTI (Kernel Page Table Isolation):
  Each process has two page tables:
    Kernel mode: Full mapping (user + kernel)
    User mode: Minimal (user + trampoline)
  → Speculative access to kernel memory is impossible in user mode

Performance cost: ~5%~30% (syscall-intensive), partially mitigated by PCID
Modern CPUs (Cascade Lake+, Zen2+): Hardware fix, KPTI automatically disabled

Sanitizers: Runtime Error Detection

// KASAN (Kernel Address Sanitizer):
//   Detects: out-of-bounds, use-after-free, double-free
//   Based on shadow memory (compile-time instrumentation)
//   Overhead: ~1.5-2x slower, debug kernel only

// KMSAN (Kernel Memory Sanitizer):
//   Detects: Use of uninitialized memory
//   Heavier than KASAN (~3x), development use only

// UBSAN (Undefined Behavior Sanitizer):
//   Detects: Integer overflow, shift out-of-bounds, null pointer dereference
//   Low overhead, can be enabled in production (CONFIG_UBSAN_BOUNDS)

FORTIFY_SOURCE

// Replaces memcpy/strcpy/sprintf at compile time:
//   If boundary information is available → generates checked calls
//   Compile-time known out-of-bounds → compilation fails
//   Runtime out-of-bounds → BUG() (does not return an error)
//
// Similar to user-space FORTIFY_SOURCE, but covers more functions

Kernel Lockdown

After UEFI Secure Boot is enabled:
  → Kernel lockdown automatically activates (integrity mode)
  → Prohibits:
    - /dev/mem, /dev/kmem (memory read/write)
    - ioport access
    - kexec (loading unsigned kernels)
    - BPF writing to kernel memory
    - ACPI table override

/proc/sys/kernel/lockdown:
 none / integrity / confidentiality

seccomp

// prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)
// Restricts the syscalls a process can call (irreversible)

// BPF Filter:
//   Checks syscall number + arguments → ALLOW / DENY / KILL / TRAP
//   Used by Chromium, Docker, systemd

// SECCOMP_RET_USER_NOTIF (5.0+):
//   Decision not made in kernel → notifies user-space supervisor process
//   E.g., Container manager approves/rejects certain syscalls

Other Hardening Options

# Zero on release:
CONFIG_INIT_ON_FREE_DEFAULT_ON=y    # Freed slab objects → zeroed (prevents UAF info leak)

# Slab freelist randomization:
CONFIG_SLAB_FREELIST_RANDOM=y      # Randomize slab freelist pointer order (prevents heap exploits)

# Hardened user memory copy:
CONFIG_HARDENED_USERCOPY=y         # Validates usercopy source/destination are within valid heap/slab regions

# Stack randomization (already present, per-process):
/proc/sys/kernel/randomize_va_space = 2  # ASLR fully enabled

References

  • Source Code: security/lockdown/, kernel/seccomp.c, mm/kasan/, lib/ubsan.c
  • Kernel Documentation: Documentation/admin-guide/kernel-parameters.txt
  • LWN: "Kernel address space layout randomization", "The kernel lockdown patches"

Keywords: KASLR, stack protector, KPTI, KASAN, FORTIFY_SOURCE, lockdown, seccomp, init_on_free