TODO.kaslr revision 1.7
11.1Smaxv====== POINTER LEAKS ====== 21.1Smaxv 31.2Smaxv[DONE] -- Change the permissions of /dev/ksyms, as discussed in: 41.2Smaxv http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html 51.1Smaxv 61.1Smaxv-- The address of a non-public section is leaked because of Meltdown, 71.1Smaxv "jmp handler". This can easily be fixed by pushing the handlers into 81.1Smaxv their own section. 91.1Smaxv 101.1Smaxv-- Replace the "%p" fmt by something relative to the kernel section (if 111.1Smaxv any). Eg, from 121.1Smaxv printf("%p", &some_global_var); --> "0xffffffffe38010f0" 131.1Smaxv to 141.1Smaxv printf("%p", &some_global_var); --> ".data.4:0x8010f0" 151.1Smaxv This eases debugging and also prevents leaks if a driver prints 161.1Smaxv kernel addresses as debug (I've seen that already). 171.1Smaxv 181.4Smaxv[DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) 191.1Smaxv 201.5Smaxv-- Several entry points leak kernel addresses: 211.5Smaxv [DONE] - "modstat -k" 221.5Smaxv - "netstat -nat" 231.6Smaxv [DONE] - kern.proc 241.6Smaxv [DONE] - kern.proc2 251.5Smaxv - kern.file 261.7Smaxv [DONE] - kern.file2 271.5Smaxv - kern.lwp 281.6Smaxv - sysctl_inpcblist 291.6Smaxv - sysctl_unpcblist 301.1Smaxv 311.1Smaxv-- Be careful with dmesg. 321.1Smaxv 331.1Smaxv====== RANDOMIZATION ====== 341.1Smaxv 351.3Smaxv[DONE] -- Randomize the PTE space. 361.1Smaxv 371.3Smaxv[DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). 381.1Smaxv 391.2Smaxv[DONE] -- Randomize the direct map. 401.1Smaxv 411.7Smaxv[POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. 421.1Smaxv 431.1Smaxv====== GENERAL ====== 441.1Smaxv 451.1Smaxv-- Sort the kernel sections by size, from largest to smallest, to save 461.1Smaxv memory. 471.1Smaxv 481.1Smaxv-- Add the "pkboot" command in the EFI bootloader. 49