[ubuntu-hardened] KASLR: enabling on x86 with "kaslr" option via '/etc/default/grub' file.

Seth Arnold seth.arnold at canonical.com
Tue Aug 1 22:44:38 UTC 2017

On Sun, Jul 30, 2017 at 11:48:50AM +0200, daniel curtis wrote:
> Wow, thank You very much for an amazing answer. You are very smart person.
> Thanks to You, I'd learned so many things about AppArmor, security etc. I
> really appreciate it. Once again: thank You!

Aww, thanks Daniel :D Very kind of you to say so. It's always a pleasure.

> So, are You trying to say, that enabling "kaslr" does not improve system
> security? After adding "kaslr" option to the '/etc/default/grub' file,
> generate a grub2 config file via update-grub(8) command, two values
> "commit_creds" and "prepare_kernel" (from '/proc/kallsysms' file) were
> randomized each time, during system starts.
> However, without "kaslr", both values are the same - after every system
> start. Additionally, I've also used - recommended by Developers -
> 'kptr_restrict' and 'dmesg_restrict'. So maybe it is not so bad on x86
> architecture? These values can be checked with this command:
> [~]# cat /proc/kallsyms | grep ' commit_creds\| prepare_kernel'
> ffffffdc08e960  T commit_creds
> ffffffdc08ed30  T prepare_kernel_cred
> In this case, "kaslr" is in use. That's just an example. As I already
> mentioned: without KASLR, both values have the same value. By the way;

So, the thing is, the two numbers here will change from boot to boot but
they will almost certainly be the same distance apart every single boot
regardless of their actual values. (Did I get it right? :)

I believe using kaslr is more secure than not using kaslr. But it's not magic.

> running mentioned command, as a normal user (not root or via sudo(8)) shows
> '00000000' in both cases. But that's just not important information.

Right, this is to keep unprivileged users from learning information about
the kernel that might help automated exploits.

> >> ASLR for applications is far more useful than ASLR for a
> >> kernel because (...)
> I think, that You've made a little mistake here; You have used ASLR twice,
> which make no sense to me. Can you write, which - KASLR or ASLR, is far
> more useful for applications than [WHAT] for a kernel? :- )

I debated about writing "ASLR for applications" and "KASLR" but wanted to
draw the distinction that it's ASLR for both, but ASLR for applications is
more useful than ASLR for kernels. :)

> So, according to all this things about KASLR (and especailly "(...)
> increase the chances that an information leak will allow bypassing the
> minimal gains in security due to KASLR." etc.), I want to ask: can I
> use"kaslr" with regards to everything what You had wrote about this?

Yes, by all means, use it, but just be aware that it's not magic. It's
just useful. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170801/c7020bdf/attachment.pgp>

More information about the ubuntu-hardened mailing list