TODO.kaslr revision 1.5
11.1Smaxv====== POINTER LEAKS ====== 21.1Smaxv 31.2Smaxv[DONE] -- Change the permissions of /dev/ksyms, as discussed in: 41.2Smaxv http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html 51.1Smaxv 61.1Smaxv-- The address of a non-public section is leaked because of Meltdown, 71.1Smaxv "jmp handler". This can easily be fixed by pushing the handlers into 81.1Smaxv their own section. 91.1Smaxv 101.1Smaxv-- Replace the "%p" fmt by something relative to the kernel section (if 111.1Smaxv any). Eg, from 121.1Smaxv printf("%p", &some_global_var); --> "0xffffffffe38010f0" 131.1Smaxv to 141.1Smaxv printf("%p", &some_global_var); --> ".data.4:0x8010f0" 151.1Smaxv This eases debugging and also prevents leaks if a driver prints 161.1Smaxv kernel addresses as debug (I've seen that already). 171.1Smaxv 181.4Smaxv[DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) 191.1Smaxv 201.5Smaxv-- Several entry points leak kernel addresses: 211.5Smaxv [DONE] - "modstat -k" 221.5Smaxv - "netstat -nat" 231.5Smaxv - kern.proc 241.5Smaxv - kern.proc2 251.5Smaxv - kern.file 261.5Smaxv - kern.file2 271.5Smaxv - kern.lwp 281.1Smaxv 291.1Smaxv-- Be careful with dmesg. 301.1Smaxv 311.1Smaxv====== RANDOMIZATION ====== 321.1Smaxv 331.3Smaxv[DONE] -- Randomize the PTE space. 341.1Smaxv 351.3Smaxv[DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). 361.1Smaxv 371.2Smaxv[DONE] -- Randomize the direct map. 381.1Smaxv 391.1Smaxv-- Randomize the PCPU area. 401.1Smaxv 411.1Smaxv====== GENERAL ====== 421.1Smaxv 431.1Smaxv-- Sort the kernel sections by size, from largest to smallest, to save 441.1Smaxv memory. 451.1Smaxv 461.1Smaxv-- Add the "pkboot" command in the EFI bootloader. 47