Re: [RFC][PATCH] Randomize kernel base address on boot

From: H. Peter Anvin
Date: Fri May 27 2011 - 20:51:50 EST


On 05/27/2011 02:51 PM, Olivier Galibert wrote:
> On Fri, May 27, 2011 at 08:17:24PM +0200, Ingo Molnar wrote:
>> - A root exploit will still not give away the location of the
>> kernel (assuming module loading has been disabled after bootup),
>> so a rootkit cannot be installed 'silently' on the system, into
>> RAM only, evading most offline-storage-checking tools.
>>
>> With static linking this is not possible: reading the kernel image
>> as root trivially exposes the kernel's location.
>
> There's something I don't get there. If you managed to escalate your
> priviledges enough that you have physical ram access, there's a
> billion things you can do to find the kernel, including vector
> tracing, pattern matching, looking at the page tables, etc.
>
> What am I missing?
>

Just makes it harder to automate an attack, and more likely that it will
fail. It's an arms race, of course.

-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/