This repository has been archived by the owner on May 12, 2021. It is now read-only.
kernel x86/config: enable missing security features #638
Assignees
Labels
Comments
devimc
added
enhancement
devimc
pushed a commit
to devimc/kata-packaging
that referenced
this issue
Jul 16, 2019
CONFIG_RANDOMIZE_BASE Randomize the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped, as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals CONFIG_RANDOMIZE_MEMORY Randomizes the base virtual address of kernel memory sections. This security feature makes exploits relying on predictable memory locations less reliable CONFIG_STACKPROTECTOR This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows now also overwrite the canary, which gets detected and the attack is then neutralized via a kernel panic. CONFIG_REFCOUNT_FULL Enabling this switches the ref counting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can be (slightly) slower but provides protections against various use-after-free conditions that can be used insecurity flaw exploits. CONFIG_HARDENED_USERCOPY This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack,or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures. CONFIG_FORTIFY_SOURCE Detect overflows of buffers in common string and memory functionswhere the compiler can determine and validate the buffer sizes. fixes kata-containers#638 Signed-off-by: Julio Montes <julio.montes@intel.com>
devimc
pushed a commit
to devimc/kata-packaging
that referenced
this issue
Jul 16, 2019
CONFIG_RANDOMIZE_BASE Randomize the physical address at which the kernel image is decompressed and the virtual address where the kernel image is mapped, as a security feature that deters exploit attempts relying on knowledge of the location of kernel code internals CONFIG_RANDOMIZE_MEMORY Randomizes the base virtual address of kernel memory sections. This security feature makes exploits relying on predictable memory locations less reliable CONFIG_STACKPROTECTOR This feature puts, at the beginning of functions, a canary value on the stack just before the return address, and validates the value just before actually returning. Stack based buffer overflows now also overwrite the canary, which gets detected and the attack is then neutralized via a kernel panic. CONFIG_REFCOUNT_FULL Enabling this switches the ref counting infrastructure from a fast unchecked atomic_t implementation to a fully state checked implementation, which can be (slightly) slower but provides protections against various use-after-free conditions that can be used insecurity flaw exploits. CONFIG_HARDENED_USERCOPY This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and copy_from_user() functions) by rejecting memory ranges that are larger than the specified heap object, span multiple separately allocated pages, are not on the process stack,or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures. CONFIG_FORTIFY_SOURCE Detect overflows of buffers in common string and memory functionswhere the compiler can determine and validate the buffer sizes. fixes kata-containers#638 Signed-off-by: Julio Montes <julio.montes@intel.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Missing features
The text was updated successfully, but these errors were encountered: