Linux - KASLR

KASLR stands for Kernel Address Space Layout Randomization.

It is a security feature in the Linux kernel that randomizes the memory address where the kernel code is loaded at boot time.

If you think of the computer's memory as a giant map, KASLR ensures that the "Kernel City" is built in a different, random location every time you restart the computer.

The Problem: Static Memory Layout

Before KASLR existed, the Linux kernel was always loaded at the exact same memory address (e.g., 0xffffffff81000000).

Why was this bad? If a hacker found a vulnerability (like a buffer overflow) in a driver, they knew exactly where the "useful" kernel functions were located. For example, they knew that the function to give a process root privileges (commit_creds) was always at a specific, fixed address.

This allowed attackers to use a technique called ROP (Return-Oriented Programming). They didn't need to "inject" code; they just jumped to addresses that they knew already contained the instructions they wanted.

The Solution: KASLR

With KASLR enabled, the kernel "shuffles" its location during the boot process.

1. Random Offset: The bootloader picks a random "offset" (a random number).
2. The Shift: The kernel code is shifted by that offset in memory.
3. The Result: On Boot A, a function might be at 0xA000. On Boot B, that same function might be at 0xC500.

The result for an attacker: If they try to jump to a hardcoded memory address, the kernel isn't there. Instead of the exploit working, the kernel simply hits an invalid address and crashes (Kernel Panic). A crash is much better than a successful hack.

The Two Levels of KASLR

KASLR actually randomizes two different things:

• Physical KASLR: Randomizes where the kernel is physically stored in the RAM chips.
• Virtual KASLR: Randomizes where the kernel "appears" to be in the virtual address space (the map that the CPU uses to talk to memory).

Virtual KASLR is the more important one for stopping software exploits.

Connection to /proc/kallsyms

You may see /proc/kallsyms showing all zeros. These two things are directly connected:

1. KASLR hides the kernel.
2. kptr_restrict protects the secret.

If a regular user could see the real addresses in /proc/kallsyms, they would see the "randomized" address. They could then calculate the offset (Randomized Address - Original Static Address = The Secret Offset). Once the attacker knows the offset, KASLR is defeated.

This is why modern Linux zeros out addresses for non-root users: to prevent "Information Leaks" that would bypass KASLR.

Can KASLR be defeated?

Yes. KASLR is not a "silver bullet"; it is a "speed bump." Attackers bypass it using Information Leaks:

• If a bug in the kernel allows an attacker to read just one pointer from memory, they can work backward to figure out where the rest of the kernel is.
• Side-channel attacks (like Meltdown/Spectre) can sometimes "guess" where memory is mapped by measuring how fast the CPU responds.

How to check if KASLR is active

You can check your kernel boot parameters to see if KASLR is enabled (it is on by default in almost all modern distros):

cat /proc/cmdline

If you see kaslr in the output, it is on. If you see nokaslr, it has been disabled.

Is there a single offset?

No, not anymore.

While early versions of KASLR used a single "base offset" for the entire kernel, modern Linux uses multiple independent offsets for different regions of kernel memory.

If there were only one single offset for everything, a hacker who discovered the address of a single driver (module) could easily calculate the location of the entire kernel core. By using multiple offsets, the kernel ensures that leaking one secret doesn't reveal all the others.

1. The Kernel Text Base (The Core)

This is the "main" KASLR offset. It randomizes where the core kernel code (compiled into the vmlinuz file) is loaded.

• What moves: All the built-in functions like printk, scheduler, and system call handlers.
• The Offset: Everything inside the core kernel moves together. If you find one function in the core, you know where all core functions are.

2. Module Mapping Space

When you load a driver (like a Nvidia driver or a WiFi driver), it is placed in the Module Space.

• The Offset: The starting point of the module region is randomized independently of the kernel core.
• Benefit: Knowing the address of a loaded module doesn't tell the attacker exactly where the main kernel code is.

3. The Direct Map (Physical Memory)

Linux maps the entire physical RAM of your computer into a specific virtual address range called the "Direct Map."

• The Offset: In modern kernels (since roughly 2017), the location of this entire mapping is randomized.
• Benefit: This prevents "Physmap" attacks where hackers try to overwrite data directly in RAM by guessing its virtual location.

4. VMALLOC and VMEMMAP Regions

These are areas used for dynamic memory allocations (like vmalloc) and for tracking memory pages.

• The Offset: These regions are also shifted by their own random values.

5. Finer-Grained KASLR (The Future)

Standard KASLR still keeps the "internal" order of the kernel the same. For example, if Function A is 100 bytes before Function B in the source code, they will still be 100 bytes apart in memory, even if the whole block moved.

There is a newer technology called FG-KASLR (Function Granular KASLR) (currently being developed/refined):

• Instead of moving the whole kernel "block," it shuffles the functions themselves.
• In this scenario, there isn't just one or five offsets; every single function could potentially have a randomized relationship to its neighbors.

Why multiple offsets?

Think of KASLR as a high-security office building:

1. Single Offset: If the hacker finds the key to the front door, they have the map for every room in the building.
2. Multiple Offsets (Modern Linux): Finding the key to the loading dock (Modules) doesn't give you the key to the manager's office (Kernel Core), and finding the manager's office doesn't show you where the vault (Direct Map/RAM) is.

By having multiple "islands" of randomization, the kernel forces an attacker to find multiple different vulnerabilities (Information Leaks) to fully compromise the system.