Re: [RFC][PATCH] Randomize kernel base address on boot

[H. Peter Anvin]

On 05/27/2011 02:51 PM, Olivier Galibert wrote:
> On Fri, May 27, 2011 at 08:17:24PM +0200, Ingo Molnar wrote:
>>  - A root exploit will still not give away the location of the
>>    kernel (assuming module loading has been disabled after bootup),
>>    so a rootkit cannot be installed 'silently' on the system, into
>>    RAM only, evading most offline-storage-checking tools.
>>
>>    With static linking this is not possible: reading the kernel image
>>    as root trivially exposes the kernel's location.
> 
> There's something I don't get there.  If you managed to escalate your
> priviledges enough that you have physical ram access, there's a
> billion things you can do to find the kernel, including vector
> tracing, pattern matching, looking at the page tables, etc.
> 
> What am I missing?
> 

Just makes it harder to automate an attack, and more likely that it will
fail.  It's an arms race, of course.

	-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/