TODO.kaslr revision 1.8
11.1Smaxv====== POINTER LEAKS ====== 21.1Smaxv 31.2Smaxv[DONE] -- Change the permissions of /dev/ksyms, as discussed in: 41.2Smaxv http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html 51.1Smaxv 61.1Smaxv-- The address of a non-public section is leaked because of Meltdown, 71.1Smaxv "jmp handler". This can easily be fixed by pushing the handlers into 81.1Smaxv their own section. 91.1Smaxv 101.1Smaxv-- Replace the "%p" fmt by something relative to the kernel section (if 111.1Smaxv any). Eg, from 121.1Smaxv printf("%p", &some_global_var); --> "0xffffffffe38010f0" 131.1Smaxv to 141.1Smaxv printf("%p", &some_global_var); --> ".data.4:0x8010f0" 151.1Smaxv This eases debugging and also prevents leaks if a driver prints 161.1Smaxv kernel addresses as debug (I've seen that already). 171.1Smaxv 181.4Smaxv[DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) 191.1Smaxv 201.5Smaxv-- Several entry points leak kernel addresses: 211.5Smaxv [DONE] - "modstat -k" 221.6Smaxv [DONE] - kern.proc 231.6Smaxv [DONE] - kern.proc2 241.8Smaxv [DONE] - kern.file 251.7Smaxv [DONE] - kern.file2 261.8Smaxv [DONE] - kern.lwp 271.8Smaxv [DONE] - sysctl_inpcblist 281.8Smaxv [DONE] - sysctl_unpcblist 291.8Smaxv - sysctl_doevcnt 301.8Smaxv - sysctl_dobuf 311.1Smaxv 321.1Smaxv-- Be careful with dmesg. 331.1Smaxv 341.1Smaxv====== RANDOMIZATION ====== 351.1Smaxv 361.3Smaxv[DONE] -- Randomize the PTE space. 371.1Smaxv 381.3Smaxv[DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). 391.1Smaxv 401.2Smaxv[DONE] -- Randomize the direct map. 411.1Smaxv 421.7Smaxv[POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. 431.1Smaxv 441.1Smaxv====== GENERAL ====== 451.1Smaxv 461.1Smaxv-- Sort the kernel sections by size, from largest to smallest, to save 471.1Smaxv memory. 481.1Smaxv 491.1Smaxv-- Add the "pkboot" command in the EFI bootloader. 50