Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Operating Systems Software Unix Windows Linux

OpenBSD Will Get Unique Kernels On Each Reboot (bleepingcomputer.com) 162

An anonymous reader quotes a report from Bleeping Computer: A new feature added in test snapshots for the upcoming OpenBSD 6.2 release will create a unique kernel every time an OpenBSD user reboots or upgrades his computer. This feature is named KARL -- Kernel Address Randomized Link -- and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time. Currently, for stable releases, the OpenBSD kernel uses a predefined order to link and load internal files inside the kernel binary, resulting in the same kernel for all users. Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades. KARL should not be confused with ASLR -- Address Space Layout Randomization -- a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run. A similar technique exists for randomizing the memory location where the kernel loads -- called KASLR. The difference between the two is that KARL loads a different kernel binary in the same place, while KASLR loads the same binary in random locations. Currently Linux and Windows only support KASLR.
This discussion has been archived. No new comments can be posted.

OpenBSD Will Get Unique Kernels On Each Reboot

Comments Filter:
  • by randomErr ( 172078 ) <ervin.kosch@nospAM.gmail.com> on Thursday July 06, 2017 @05:11AM (#54754863) Journal
    The rebuilding process shouldn't be that long. Especially if most of the modules are (mostly) precompiled. But with the random order that things will be re-compiled, will a bad order effect the overall performance of the system?
  • by badger.foo ( 447981 ) <peter@bsdly.net> on Thursday July 06, 2017 @05:15AM (#54754871) Homepage
    You will find more details over at the OpenBSD Journal site (undeadly.org [undeadly.org]), specifically the stories KARL - kernel address randomized link [undeadly.org] and the followup Kernel relinking status from Theo de Raadt [undeadly.org]. These and other items will also turn up on the project's Innovations [openbsd.org] page.

    And for that whirlwind tour of what's good in that system, take a peek at my OpenBSD and you [home.nuug.no] slides.

  • by account_deleted ( 4530225 ) on Thursday July 06, 2017 @05:42AM (#54754945)
    Comment removed based on user account deletion
  • by Anonymous Coward on Thursday July 06, 2017 @05:59AM (#54755009)

    All OpenBSD needs now is to adopt systemd. Then it wil be totally secure. And more cromulent.

  • The difference is merely in granularity; one is performed in the build time linker (aka static, ld), the other in the run time linker (aka dynamic loader, ld.so). The latter can be done in advance (prelinking), the former has to. The run time linker doesn't have information on all the intra-object links, so cannot operate at the level the build time linker does. That granularity might make a difference; it moves from up to about three (code, data, rodata) randomized pointers per program file to the same per object file (or possibly function, if the compiler splits them). The sort of exploit code this is supposed to mitigate doesn't need to hunt for all of those but typically a specific one, though, and the mitigation has been found to be fairly weak.

  • by zwarte piet ( 1023413 ) on Thursday July 06, 2017 @06:20AM (#54755083)
    ....apart from wearing ssds and make the authors look interesting?
  • The advantages (Score:5, Informative)

    by guruevi ( 827432 ) on Thursday July 06, 2017 @07:32AM (#54755327)

    Lots of people here asking about the advantages - here is the laymans explanation.

    So typically with ASLR you load a kernel blob into a randomized space and then it just sits there. An attacker (e.g. an evil hypervisor) could search the entire address space for the kernel or in some other way hook into the kernel binary and then simply count up or down address spaces or more likely pass an evil payload to load exploits against specific parts of the kernel from there. Since you always know which parts come first, you can craft payloads so that it gets passed or overflows until it reaches the vulnerable piece of code.

    What this is doing, it randomized the kernel and subsequently the entire kernel even though it sits in the same spot and you could still find or hook into it, you can't simply count up and down anymore to find the bad piece of code nor can you be guaranteed that weak boundary checks will pass your payload, because even though the system has hooked your vulnerable piece of code somewhere, it's not going to be in the same spot.

    It's basically more fine grained ASLR where you break the program (the kernel) down further in smaller pieces to be randomized.

    • by lowen ( 10529 ) on Thursday July 06, 2017 @11:18AM (#54757267)

      Instead of 'evil hypervisor' think 'Intel Management Engine.'

  • by jfdavis668 ( 1414919 ) on Thursday July 06, 2017 @07:44AM (#54755397)
    Since a lot of servers are up and running for seriously long times, the kernel won't change often. Also, since there are a finite number of permutations, it wouldn't be that hard to find the memory location you are looking for.
    • by guruevi ( 827432 ) on Thursday July 06, 2017 @08:28AM (#54755697)

      The idea is that when you have hundreds of machines, even though their uptime is high, they'll still all be running 'different' kernels.

      To be able to find a memory location, you have to pretty much already run as root. This is to prevent exploits before they get to that point. Eg. if you have a weak TCP/IP stack and you send an 'evil bit' that overflows the buffer, you're no longer guaranteed that by filling the next n buffers you will be able to execute shell code.

      Once you can search through the memory, you've gotten to a much farther point.

    • by Anonymous Coward on Thursday July 06, 2017 @08:54AM (#54755883)

      How many modules are there? If, say, 20 then 20! is about 2x10e18, and 30! is about 2.6x10e32

      Yes that's a finite number. So is a cryptography key.

      • by Ed Tice ( 3732157 ) on Thursday July 06, 2017 @10:39AM (#54756881)
        Yes but then there is also the kernel base address randomization mentioned in the summary. Put the two together and you get a number that is larger than the total address space of the machine. So essentially all you know is that the problem space is 2^64 for each function whose address you'd like to determine.
    • by ponraul ( 1233704 ) on Thursday July 06, 2017 @12:50PM (#54758153)
      As long as there's enough entropy in the state space, it will not be feasible to search it every time an exploit is tried. Since it's random knowing, the parameters of one system, won't give you any information about a different host since it was randomized at boot as well.
  • by Anonymous Coward on Thursday July 06, 2017 @07:50AM (#54755425)

    Interesting that nix advocates were always mocking Windows for not being able to hot patch without needing a reboot and yet here we are, a nix based OS that needs reboots to stay patched, fwiw this is why updates get disabled (and people get pwned), we are not running silly games or wordy processors in BSD but usually devices that need uptimes of months, preferably years, i don't want to intentionally reboot at all.

    are there any stable and secure nix distros left ?

  • Ooold. (Score:5, Funny)

    by SharpFang ( 651121 ) on Thursday July 06, 2017 @08:23AM (#54755661) Homepage Journal

    Had it on my 486 that ran Gentoo, and not just with the kernel but most of apps. By the time Emerge World completed and I'd need to reboot for the upgraded kernel to start up, a new version was already available, and Emerge World ran right after start, on whatever updates happened during the previous run would finish about the time another kernel was available.

  • by jbmartin6 ( 1232050 ) on Thursday July 06, 2017 @08:43AM (#54755799)
    " Microsoft has used KASLR for many years." and Linux kernel just added it.
  • by fabriciom ( 916565 ) on Thursday July 06, 2017 @10:43AM (#54756921)
    Hope this gets copied over to linux ASAP...
  • by m.dillon ( 147925 ) on Thursday July 06, 2017 @11:00AM (#54757079) Homepage

    If I understand this correctly, the kernel is being relinked and rewritten to the boot partition. That's instant fail in my book.... at least for us, the boot partition is sacrosanct. We do *NOT* write to it except when specifically upgrading a system. We do not do ad-hoc or automated writes to it because years of experience has shown that most corrupted boots (aka machine -> non-working) are due to unexpected events occurring while a filesystem is being written to.

    The rename trick is not a solution (there's the 'ideal' atomic, and then there is the reality. That storage devices can fail in many different ways even while writing a particular sector, that are unrelated to that sector).

    So, honestly, I think OpenBSD is making a huge mistake here. I can see randomization at load-time, but relinking and rewriting the kernel binary on every boot? No. Bad bad bad idea.

    ASLR or equivalent is close to useless anyway. Malware has found ways around it, it makes debugging and bug reproducability difficult (which arguably is more important... that bugs get found and fixed, not simply detected). It also tends to fragment memory which can cause serious problems for long-running systems. And the vast majority of systems will simply restart the service anyway. They might log the seg-fault from the malware, but maybe 0.001% of system owners actually look at those logs.

    -Matt

  • by OrangeTide ( 124937 ) on Thursday July 06, 2017 @05:27PM (#54760071) Homepage Journal

    Time to inject something into the kernel linker. This random order thing should make it very easy to high all sorts of fun gadgets.

  • by troublemaker_23 ( 727868 ) on Thursday July 06, 2017 @07:04PM (#54760529)
    Uptime is a defining characteristic of OpenBSD - Netcraft will prove this. How often are OpenBSD machines rebooted to take advantage of this feature? It would be understandable on a Windows system.

Live within your income, even if you have to borrow to do so. -- Josh Billings

Working...