Linux Kernel Hardening: Modern Security Features and Mitigation Techniques#

The Linux kernel has evolved significantly in response to sophisticated attacks and hardware vulnerabilities. This comprehensive guide explores modern kernel hardening techniques, from foundational features like KASLR and KPTI to cutting-edge mitigations for CPU vulnerabilities and advanced exploit prevention mechanisms.

Understanding Kernel Attack Surface#

Common Attack Vectors#

1
/* Example: Vulnerable kernel code patterns */
2

3
// 1. Buffer overflow vulnerability
4
static long vulnerable_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
5
{
6
    char buffer[64];
7

8
    // Vulnerable: No bounds checking
9
    if (copy_from_user(buffer, (void __user *)arg, 128))
10
        return -EFAULT;
11

12
    return 0;
13
}
14

15
// 2. Use-after-free vulnerability
16
struct my_data {
17
    void (*callback)(void);
18
    char data[100];
19
};
20

21
static void vulnerable_free(struct my_data *data)
22
{
23
    kfree(data);
24
    // Vulnerable: Use after free
25
    data->callback();
26
}
27

28
// 3. Race condition vulnerability
29
static int vulnerable_open(struct inode *inode, struct file *file)
30
{
31
    // Vulnerable: TOCTOU race condition
32
    if (!capable(CAP_SYS_ADMIN))
33
        return -EPERM;
34

35
    // Time window for privilege change
36
    msleep(10);
37

38
    // Assumes capability still valid
39
    file->private_data = sensitive_data;
40
    return 0;
41
}

Core Hardening Features#

KASLR (Kernel Address Space Layout Randomization)#

KASLR randomizes the kernel’s virtual address space layout to make exploitation harder.

Implementation Details#

1
// Kernel configuration for KASLR
2
CONFIG_RANDOMIZE_BASE=y
3
CONFIG_RANDOMIZE_MEMORY=y
4
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
5

6
// Boot-time entropy gathering
7
void __init kaslr_early_init(void)
8
{
9
    unsigned long entropy;
10

11
    /* Gather entropy from various sources */
12
    entropy = get_boot_seed();
13
    entropy ^= rdtsc();
14
    entropy ^= read_cr3();
15

16
    /* Calculate random offset */
17
    kernel_offset = (entropy % KERNEL_IMAGE_SIZE_MAX) & ~(KERNEL_ALIGN - 1);
18

19
    /* Apply offset to kernel mappings */
20
    __START_KERNEL_map += kernel_offset;
21
    phys_base -= kernel_offset;
22
}

Verifying KASLR#

1
# Check if KASLR is enabled
2
cat /proc/cmdline | grep kaslr
3
dmesg | grep "KASLR enabled"
4

5
# View kernel offset (requires root)
6
cat /proc/kallsyms | grep _text
7
# Address changes on each boot with KASLR
8

9
# Disable KASLR for debugging
10
kernel command line: nokaslr

KPTI (Kernel Page Table Isolation)#

KPTI mitigates Meltdown by separating user and kernel page tables.

Implementation#

1
// KPTI page table switching
2
static inline void switch_to_kernel_pt(void)
3
{
4
    unsigned long cr3 = __read_cr3();
5

6
    if (cr3 & PTI_USER_PGTABLE_BIT) {
7
        cr3 &= ~PTI_USER_PGTABLE_BIT;
8
        native_write_cr3(cr3);
9
    }
10
}
11

12
// Entry/exit macros
13
#define SWITCH_TO_KERNEL_CR3    \
14
    movq    %cr3, %rax;         \
15
    andq    $~PTI_USER_PGTABLE_BIT, %rax; \
16
    movq    %rax, %cr3
17

18
#define SWITCH_TO_USER_CR3      \
19
    movq    %cr3, %rax;         \
20
    orq     $PTI_USER_PGTABLE_BIT, %rax; \
21
    movq    %rax, %cr3

Performance Impact Mitigation#

1
// Process-specific KPTI control
2
static int setup_kpti_ctl(void)
3
{
4
    if (cpu_mitigations_off())
5
        return 0;
6

7
    /* Disable KPTI for trusted processes */
8
    if (current->flags & PF_KPTI_EXEMPT) {
9
        current->mm->context.pti_disabled = 1;
10
        return 0;
11
    }
12

13
    return 1;
14
}
15

16
// Per-CPU optimization
17
DEFINE_PER_CPU(unsigned long, cached_user_cr3);
18
DEFINE_PER_CPU(unsigned long, cached_kernel_cr3);

Stack Protection#

Stack Canaries#

1
// GCC stack protection
2
// Compile with: -fstack-protector-strong
3

4
void __stack_chk_fail(void)
5
{
6
    panic("Stack smashing detected!");
7
}
8

9
// Example protected function
10
void protected_function(char *input)
11
{
12
    char buffer[64];
13
    unsigned long canary = __stack_chk_guard;
14

15
    strcpy(buffer, input);  // Potentially unsafe
16

17
    if (canary != __stack_chk_guard)
18
        __stack_chk_fail();
19
}

Shadow Stack#

1
// Intel CET (Control-flow Enforcement Technology) shadow stack
2
static void enable_shadow_stack(void)
3
{
4
    u64 msr_val;
5

6
    if (!cpu_feature_enabled(X86_FEATURE_SHSTK))
7
        return;
8

9
    /* Enable shadow stack */
10
    rdmsrl(MSR_IA32_U_CET, msr_val);
11
    msr_val |= CET_SHSTK_EN;
12
    wrmsrl(MSR_IA32_U_CET, msr_val);
13

14
    /* Set up shadow stack pointer */
15
    wrmsrl(MSR_IA32_PL3_SSP, current->thread.shstk_base);
16
}

Control Flow Integrity (CFI)#

Clang CFI Implementation#

1
// Kernel built with Clang CFI
2
// CONFIG_CFI_CLANG=y
3

4
// CFI type checking before indirect calls
5
#define cfi_check_fn(fn, type) \
6
    __cfi_check((unsigned long)(fn), (unsigned long)type##_cfi_id)
7

8
// Example usage
9
struct file_operations {
10
    int (*open)(struct inode *, struct file *);
11
    int (*release)(struct inode *, struct file *);
12
} __randomize_layout;
13

14
static int cfi_safe_open(struct inode *inode, struct file *file)
15
{
16
    const struct file_operations *fops = file->f_op;
17

18
    /* CFI check before indirect call */
19
    cfi_check_fn(fops->open, file_operations_open);
20

21
    return fops->open(inode, file);
22
}

Return-Oriented Programming (ROP) Protection#

1
// Intel CET Indirect Branch Tracking
2
static void enable_ibt(void)
3
{
4
    u64 msr_val;
5

6
    if (!cpu_feature_enabled(X86_FEATURE_IBT))
7
        return;
8

9
    /* Enable indirect branch tracking */
10
    rdmsrl(MSR_IA32_S_CET, msr_val);
11
    msr_val |= CET_ENDBR_EN;
12
    wrmsrl(MSR_IA32_S_CET, msr_val);
13
}
14

15
// ENDBR instruction at valid targets
16
__attribute__((cf_check))
17
void valid_indirect_target(void)
18
{
19
    asm volatile("endbr64");
20
    /* Function body */
21
}

CPU Vulnerability Mitigations#

Spectre Mitigations#

Retpoline#

1
// Retpoline implementation for indirect branches
2
.macro RETPOLINE_JMP reg:req
3
    call    .Ldo_rop_\@
4
.Lspec_trap_\@:
5
    pause
6
    lfence
7
    jmp     .Lspec_trap_\@
8
.Ldo_rop_\@:
9
    mov     \reg, (%rsp)
10
    ret
11
.endm
12

13
// Compiler-generated retpoline thunks
14
extern void __x86_indirect_thunk_rax(void);
15

16
// Usage in C code
17
#define indirect_branch_prediction_barrier() \
18
    asm volatile("lfence" : : : "memory")

IBRS/IBPB/STIBP#

1
// Indirect Branch Restricted Speculation controls
2
static void enable_spectre_v2_protection(void)
3
{
4
    u64 msr_val;
5

6
    /* Enable IBRS */
7
    if (boot_cpu_has(X86_FEATURE_IBRS)) {
8
        rdmsrl(MSR_IA32_SPEC_CTRL, msr_val);
9
        msr_val |= SPEC_CTRL_IBRS;
10
        wrmsrl(MSR_IA32_SPEC_CTRL, msr_val);
11
    }
12

13
    /* Issue IBPB on context switch */
14
    if (boot_cpu_has(X86_FEATURE_IBPB)) {
15
        wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
16
    }
17

18
    /* Enable STIBP for user threads */
19
    if (boot_cpu_has(X86_FEATURE_STIBP)) {
20
        rdmsrl(MSR_IA32_SPEC_CTRL, msr_val);
21
        msr_val |= SPEC_CTRL_STIBP;
22
        wrmsrl(MSR_IA32_SPEC_CTRL, msr_val);
23
    }
24
}

L1TF (L1 Terminal Fault) Mitigation#

1
// Page Table Entry inversion for L1TF
2
static inline void __pte_to_swp_entry_invert(pte_t *pte)
3
{
4
    pte->pte = pte_val(*pte) ^ _PAGE_PROTNONE;
5
}
6

7
// L1D cache flush on VM entry
8
static void l1d_flush(void)
9
{
10
    int size = PAGE_SIZE << L1D_CACHE_ORDER;
11
    void *buffer = this_cpu_ptr(&l1d_flush_pages);
12

13
    /* Fill L1D with safe data */
14
    asm volatile(
15
        "xorl   %%eax, %%eax\n"
16
        ".Lfill_cache:\n\t"
17
        "movzbl (%[flush_pages], %%" _ASM_AX "), %%ecx\n\t"
18
        "addl   $64, %%eax\n\t"
19
        "cmpl   %%eax, %[size]\n\t"
20
        "jne    .Lfill_cache\n\t"
21
        "lfence\n"
22
        :: [flush_pages] "r" (buffer),
23
           [size] "r" (size)
24
        : "eax", "ecx", "memory"
25
    );
26
}

MDS (Microarchitectural Data Sampling) Mitigation#

1
// CPU buffer clear on context switch
2
static inline void mds_clear_cpu_buffers(void)
3
{
4
    static const u16 ds = __KERNEL_DS;
5

6
    /*
7
     * Clear CPU buffers by performing a dummy verw instruction
8
     * with the kernel data segment
9
     */
10
    asm volatile("verw %[ds]" : : [ds] "m" (ds) : "cc");
11
}
12

13
// Automatic buffer clearing
14
static void mds_user_clear_cpu_buffers(void)
15
{
16
    if (!static_branch_likely(&mds_user_clear))
17
        return;
18

19
    mds_clear_cpu_buffers();
20
}

Memory Protection Features#

W^X (Write XOR Execute)#

1
// Enforce W^X protections
2
static int check_wx_pages(void)
3
{
4
    struct page *page;
5
    unsigned long pfn;
6
    int failed = 0;
7

8
    for_each_online_pgdat(pgdat) {
9
        for (pfn = pgdat->node_start_pfn;
10
             pfn < pgdat->node_start_pfn + pgdat->node_spanned_pages;
11
             pfn++) {
12

13
            page = pfn_to_page(pfn);
14

15
            if (!page_is_ram(pfn))
16
                continue;
17

18
            /* Check for W+X mappings */
19
            if (page_is_writable(page) && page_is_executable(page)) {
20
                pr_warn("Found W+X page at 0x%lx\n",
21
                        pfn << PAGE_SHIFT);
22
                failed++;
23
            }
24
        }
25
    }
26

27
    return failed;
28
}
29

30
// Set proper permissions
31
static void set_memory_protection(void *addr, size_t size, pgprot_t prot)
32
{
33
    unsigned long start = (unsigned long)addr;
34
    unsigned long end = start + size;
35

36
    /* Round to page boundaries */
37
    start = round_down(start, PAGE_SIZE);
38
    end = round_up(end, PAGE_SIZE);
39

40
    /* Apply protection */
41
    if (pgprot_val(prot) & _PAGE_NX) {
42
        set_memory_nx(start, (end - start) >> PAGE_SHIFT);
43
    }
44
    if (!(pgprot_val(prot) & _PAGE_RW)) {
45
        set_memory_ro(start, (end - start) >> PAGE_SHIFT);
46
    }
47
}

FORTIFY_SOURCE#

1
// CONFIG_FORTIFY_SOURCE=y
2

3
// Fortified string operations
4
#define __fortify_memcpy(dest, src, len)                           \
5
({                                                                  \
6
    size_t __len = (len);                                          \
7
    size_t __dest_size = __builtin_object_size(dest, 0);          \
8
    size_t __src_size = __builtin_object_size(src, 0);            \
9
                                                                   \
10
    if (__builtin_constant_p(__len) && __len > __dest_size)       \
11
        __fortify_panic(__func__);                                 \
12
    if (__builtin_constant_p(__len) && __len > __src_size)        \
13
        __fortify_panic(__func__);                                 \
14
                                                                   \
15
    __builtin_memcpy(dest, src, len);                            \
16
})
17

18
// Usage
19
void safe_copy(void *dst, const void *src, size_t len)
20
{
21
    char buffer[64];
22

23
    /* Compile-time check if len > 64 */
24
    __fortify_memcpy(buffer, src, len);
25
}

Guard Pages#

1
// Kernel stack guard pages
2
static int setup_stack_guard_page(struct task_struct *tsk)
3
{
4
    struct page *page;
5
    unsigned long addr;
6

7
    /* Allocate stack with guard page */
8
    addr = __get_free_pages(GFP_KERNEL, THREAD_SIZE_ORDER);
9
    if (!addr)
10
        return -ENOMEM;
11

12
    /* Set up guard page at bottom of stack */
13
    page = virt_to_page(addr);
14
    set_page_guard(page);
15

16
    /* Mark guard page as non-present */
17
    __set_page_prot(page, __pgprot(0));
18

19
    tsk->stack = (void *)(addr + PAGE_SIZE);
20
    return 0;
21
}

Kernel Configuration Hardening#

Essential Hardening Options#

1
# Security options
2
CONFIG_SECURITY=y
3
CONFIG_SECURITY_YAMA=y
4
CONFIG_SECURITY_LOADPIN=y
5
CONFIG_SECURITY_LOCKDOWN_LSM=y
6
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
7
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
8

9
# Memory protection
10
CONFIG_FORTIFY_SOURCE=y
11
CONFIG_STACKPROTECTOR_STRONG=y
12
CONFIG_STRICT_KERNEL_RWX=y
13
CONFIG_STRICT_MODULE_RWX=y
14
CONFIG_DEBUG_WX=y
15

16
# CPU mitigations
17
CONFIG_PAGE_TABLE_ISOLATION=y
18
CONFIG_RETPOLINE=y
19
CONFIG_CPU_MITIGATIONS=y
20
CONFIG_SPECULATION_MITIGATIONS=y
21

22
# Attack surface reduction
23
CONFIG_LEGACY_VSYSCALL_NONE=y
24
CONFIG_HARDENED_USERCOPY=y
25
CONFIG_HARDENED_USERCOPY_FALLBACK=n
26
CONFIG_SLAB_FREELIST_RANDOM=y
27
CONFIG_SLAB_FREELIST_HARDENED=y
28
CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
29

30
# Kernel self-protection
31
CONFIG_BUG_ON_DATA_CORRUPTION=y
32
CONFIG_DEBUG_CREDENTIALS=y
33
CONFIG_DEBUG_NOTIFIERS=y
34
CONFIG_DEBUG_LIST=y
35
CONFIG_DEBUG_SG=y
36
CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
37
CONFIG_INIT_ON_FREE_DEFAULT_ON=y
38

39
# Disable dangerous features
40
# CONFIG_DEVMEM is not set
41
# CONFIG_DEVKMEM is not set
42
# CONFIG_PROC_KCORE is not set
43
# CONFIG_KEXEC is not set
44
# CONFIG_HIBERNATION is not set

Runtime Hardening#

1
#!/bin/bash
2
# kernel-hardening.sh - Apply runtime hardening
3

4
# Kernel parameters
5
cat > /etc/sysctl.d/99-hardening.conf << EOF
6
# Kernel hardening
7
kernel.dmesg_restrict = 1
8
kernel.kptr_restrict = 2
9
kernel.yama.ptrace_scope = 2
10
kernel.unprivileged_bpf_disabled = 1
11
kernel.unprivileged_userns_clone = 0
12
kernel.sysrq = 0
13
kernel.core_uses_pid = 1
14
kernel.panic = 60
15
kernel.panic_on_oops = 1
16

17
# Module loading restrictions
18
kernel.modules_disabled = 1
19

20
# Memory protections
21
vm.mmap_min_addr = 65536
22
vm.mmap_rnd_bits = 32
23
vm.mmap_rnd_compat_bits = 16
24

25
# Network hardening
26
net.ipv4.tcp_syncookies = 1
27
net.ipv4.tcp_rfc1337 = 1
28
net.ipv4.conf.all.rp_filter = 1
29
net.ipv4.conf.default.rp_filter = 1
30
net.ipv4.conf.all.accept_source_route = 0
31
net.ipv4.conf.default.accept_source_route = 0
32
net.ipv4.conf.all.send_redirects = 0
33
net.ipv4.conf.default.send_redirects = 0
34
net.ipv4.conf.all.accept_redirects = 0
35
net.ipv4.conf.default.accept_redirects = 0
36
net.ipv4.conf.all.secure_redirects = 0
37
net.ipv4.conf.default.secure_redirects = 0
38
net.ipv4.icmp_echo_ignore_broadcasts = 1
39
net.ipv4.icmp_ignore_bogus_error_responses = 1
40
net.ipv4.conf.all.log_martians = 1
41
net.ipv4.conf.default.log_martians = 1
42

43
# IPv6 hardening
44
net.ipv6.conf.all.accept_ra = 0
45
net.ipv6.conf.default.accept_ra = 0
46
net.ipv6.conf.all.accept_redirects = 0
47
net.ipv6.conf.default.accept_redirects = 0
48
EOF
49

50
# Apply settings
51
sysctl -p /etc/sysctl.d/99-hardening.conf
52

53
# Disable kernel module loading
54
echo 1 > /proc/sys/kernel/modules_disabled
55

56
# Set CPU vulnerability mitigations
57
echo "Enabling CPU mitigations..."
58
for vuln in /sys/devices/system/cpu/vulnerabilities/*; do
59
    echo "$(basename $vuln): $(cat $vuln)"
60
done

Advanced Hardening Techniques#

Kernel Runtime Security Engine#

1
// Custom kernel hardening module
2
#include <linux/module.h>
3
#include <linux/kernel.h>
4
#include <linux/init.h>
5
#include <linux/security.h>
6
#include <linux/cred.h>
7

8
static int hardening_task_create(unsigned long clone_flags)
9
{
10
    const struct cred *cred = current_cred();
11

12
    /* Restrict unprivileged user namespaces */
13
    if ((clone_flags & CLONE_NEWUSER) && !capable(CAP_SYS_ADMIN)) {
14
        pr_warn("Blocked unprivileged user namespace creation\n");
15
        return -EPERM;
16
    }
17

18
    /* Restrict ptrace */
19
    if (clone_flags & CLONE_PTRACE) {
20
        if (!has_capability(current, CAP_SYS_PTRACE)) {
21
            pr_warn("Blocked ptrace attach\n");
22
            return -EPERM;
23
        }
24
    }
25

26
    return 0;
27
}
28

29
static struct security_hook_list hardening_hooks[] __lsm_ro_after_init = {
30
    LSM_HOOK_INIT(task_create, hardening_task_create),
31
};
32

33
static int __init hardening_init(void)
34
{
35
    pr_info("Kernel hardening module loaded\n");
36
    security_add_hooks(hardening_hooks, ARRAY_SIZE(hardening_hooks),
37
                      "hardening");
38
    return 0;
39
}
40

41
module_init(hardening_init);
42
MODULE_LICENSE("GPL");
43
MODULE_DESCRIPTION("Additional kernel hardening");

Integrity Measurement Architecture (IMA)#

1
# IMA policy for kernel integrity
2
cat > /etc/ima/ima-policy << EOF
3
# Measure and appraise kernel modules
4
measure func=MODULE_CHECK
5
appraise func=MODULE_CHECK appraise_type=imasig
6

7
# Measure and appraise firmware
8
measure func=FIRMWARE_CHECK
9
appraise func=FIRMWARE_CHECK appraise_type=imasig
10

11
# Measure and appraise kexec kernel
12
measure func=KEXEC_KERNEL_CHECK
13
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
14

15
# Measure all executables
16
measure func=BPRM_CHECK mask=MAY_EXEC
17
measure func=MMAP_CHECK mask=MAY_EXEC
18

19
# Audit policy violations
20
audit func=BPRM_CHECK mask=MAY_EXEC
21
EOF
22

23
# Load IMA policy
24
cat /etc/ima/ima-policy > /sys/kernel/security/ima/policy

Kernel Lockdown#

1
// Kernel lockdown levels
2
enum lockdown_reason {
3
    LOCKDOWN_NONE,
4
    LOCKDOWN_MODULE_SIGNATURE,
5
    LOCKDOWN_DEV_MEM,
6
    LOCKDOWN_EFI_TEST,
7
    LOCKDOWN_KEXEC,
8
    LOCKDOWN_HIBERNATION,
9
    LOCKDOWN_PCI_ACCESS,
10
    LOCKDOWN_IOPORT,
11
    LOCKDOWN_MSR,
12
    LOCKDOWN_ACPI_TABLES,
13
    LOCKDOWN_PCMCIA_CIS,
14
    LOCKDOWN_TIOCSSERIAL,
15
    LOCKDOWN_MODULE_PARAMETERS,
16
    LOCKDOWN_MMIOTRACE,
17
    LOCKDOWN_DEBUGFS,
18
    LOCKDOWN_XMON_WR,
19
    LOCKDOWN_KCORE,
20
    LOCKDOWN_KPROBES,
21
    LOCKDOWN_BPF_READ,
22
    LOCKDOWN_PERF,
23
    LOCKDOWN_TRACEFS,
24
    LOCKDOWN_XMON_RW,
25
    LOCKDOWN_CONFIDENTIALITY_MAX,
26
};
27

28
static int lockdown_is_locked_down(enum lockdown_reason what)
29
{
30
    if (kernel_locked_down >= what) {
31
        pr_warn("Lockdown: %s is restricted; see man kernel_lockdown.7\n",
32
                lockdown_reasons[what]);
33
        return -EPERM;
34
    }
35

36
    return 0;
37
}

Performance Impact and Tuning#

Measuring Security Overhead#

1
// Performance measurement module
2
#include <linux/time64.h>
3
#include <linux/timekeeping.h>
4

5
struct mitigation_stats {
6
    u64 total_cycles;
7
    u64 total_calls;
8
    u64 max_cycles;
9
};
10

11
static DEFINE_PER_CPU(struct mitigation_stats, kpti_stats);
12
static DEFINE_PER_CPU(struct mitigation_stats, retpoline_stats);
13

14
#define MEASURE_MITIGATION(name, code) ({                          \
15
    struct mitigation_stats *stats = this_cpu_ptr(&name##_stats);  \
16
    u64 start = rdtsc();                                           \
17
    code;                                                          \
18
    u64 delta = rdtsc() - start;                                  \
19
    stats->total_cycles += delta;                                  \
20
    stats->total_calls++;                                          \
21
    if (delta > stats->max_cycles)                                \
22
        stats->max_cycles = delta;                                 \
23
})
24

25
// Usage example
26
static void measured_context_switch(void)
27
{
28
    MEASURE_MITIGATION(kpti, {
29
        switch_to_kernel_cr3();
30
        /* Context switch code */
31
        switch_to_user_cr3();
32
    });
33
}

Selective Mitigation#

1
# Fine-grained mitigation control
2
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt spectre_v2=retpoline spec_store_bypass_disable=seccomp l1tf=full,force mds=full,nosmt tsx_async_abort=full,nosmt"
3

4
# Process-specific mitigation control
5
# /proc/PID/status
6
grep Speculation /proc/self/status
7
# Speculation_Store_Bypass:    thread force mitigated
8
# Speculation_Indirect_Branch: conditional force disabled
9

10
# Disable mitigations for specific process
11
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS,
12
      PR_SPEC_FORCE_DISABLE, 0, 0);

Testing and Validation#

Security Test Suite#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
#include <sys/mman.h>
5
#include <sys/prctl.h>
6

7
int test_nx_protection(void)
8
{
9
    void *exec_page;
10

11
    /* Allocate writable page */
12
    exec_page = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
13
                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
14

15
    if (exec_page == MAP_FAILED) {
16
        perror("mmap");
17
        return -1;
18
    }
19

20
    /* Write shellcode */
21
    unsigned char shellcode[] = "\xc3"; /* ret */
22
    memcpy(exec_page, shellcode, sizeof(shellcode));
23

24
    /* Try to execute - should fail with NX */
25
    if (mprotect(exec_page, 4096, PROT_READ | PROT_EXEC) == 0) {
26
        printf("FAIL: NX protection not working\n");
27
        return -1;
28
    }
29

30
    printf("PASS: NX protection working\n");
31
    return 0;
32
}
33

34
int test_kaslr(void)
35
{
36
    FILE *f;
37
    unsigned long addr1, addr2;
38

39
    /* Read kernel symbol address */
40
    f = fopen("/proc/kallsyms", "r");
41
    if (!f) {
42
        printf("SKIP: Cannot read /proc/kallsyms\n");
43
        return 0;
44
    }
45

46
    fscanf(f, "%lx", &addr1);
47
    fclose(f);
48

49
    /* Check if address looks randomized */
50
    if ((addr1 & 0xFFFFFF) == 0) {
51
        printf("FAIL: KASLR might be disabled\n");
52
        return -1;
53
    }
54

55
    printf("PASS: KASLR appears enabled\n");
56
    return 0;
57
}
58

59
int main(void)
60
{
61
    printf("Kernel Hardening Test Suite\n");
62
    printf("===========================\n");
63

64
    test_nx_protection();
65
    test_kaslr();
66
    /* Add more tests */
67

68
    return 0;
69
}

Exploit Mitigation Testing#

1
#!/usr/bin/env python3
2
# test_mitigations.py - Test kernel exploit mitigations
3

4
import os
5
import subprocess
6
import ctypes
7
import mmap
8

9
class KernelMitigationTester:
10
    def __init__(self):
11
        self.results = {}
12

13
    def test_kaslr(self):
14
        """Test KASLR effectiveness"""
15
        try:
16
            # Check for KASLR in cmdline
17
            with open('/proc/cmdline', 'r') as f:
18
                cmdline = f.read()
19
                if 'nokaslr' in cmdline:
20
                    return False, "KASLR disabled in boot parameters"
21

22
            # Check kernel offset
23
            with open('/proc/kallsyms', 'r') as f:
24
                first_symbol = f.readline().split()[0]
25
                if first_symbol == '0000000000000000':
26
                    return False, "kallsyms not available"
27

28
                # Check for randomization
29
                addr = int(first_symbol, 16)
30
                if (addr & 0xFFFFFF) != 0:
31
                    return True, "KASLR active"
32

33
        except Exception as e:
34
            return False, f"Error: {e}"
35

36
        return False, "KASLR status unknown"
37

38
    def test_nx(self):
39
        """Test NX bit enforcement"""
40
        try:
41
            # Check CPU support
42
            with open('/proc/cpuinfo', 'r') as f:
43
                if 'nx' not in f.read():
44
                    return False, "CPU doesn't support NX"
45

46
            # Test actual enforcement
47
            shellcode = b"\x31\xc0\xc3"  # xor eax,eax; ret
48

49
            # Create executable mapping
50
            buf = mmap.mmap(-1, len(shellcode),
51
                           prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC)
52
            buf.write(shellcode)
53

54
            # This should work
55
            cfunc = ctypes.CFUNCTYPE(ctypes.c_int)(ctypes.addressof(ctypes.c_char.from_buffer(buf)))
56

57
            # Create non-executable mapping
58
            buf2 = mmap.mmap(-1, len(shellcode),
59
                            prot=mmap.PROT_READ | mmap.PROT_WRITE)
60
            buf2.write(shellcode)
61

62
            # This should fail
63
            try:
64
                cfunc2 = ctypes.CFUNCTYPE(ctypes.c_int)(ctypes.addressof(ctypes.c_char.from_buffer(buf2)))
65
                cfunc2()
66
                return False, "NX not enforced"
67
            except:
68
                return True, "NX properly enforced"
69

70
        except Exception as e:
71
            return False, f"Error testing NX: {e}"
72

73
    def test_smep(self):
74
        """Test SMEP (Supervisor Mode Execution Prevention)"""
75
        try:
76
            with open('/proc/cpuinfo', 'r') as f:
77
                if 'smep' in f.read():
78
                    return True, "SMEP supported and likely enabled"
79
                else:
80
                    return False, "SMEP not supported by CPU"
81
        except:
82
            return False, "Could not determine SMEP status"
83

84
    def test_smap(self):
85
        """Test SMAP (Supervisor Mode Access Prevention)"""
86
        try:
87
            with open('/proc/cpuinfo', 'r') as f:
88
                if 'smap' in f.read():
89
                    return True, "SMAP supported and likely enabled"
90
                else:
91
                    return False, "SMAP not supported by CPU"
92
        except:
93
            return False, "Could not determine SMAP status"
94

95
    def test_kpti(self):
96
        """Test KPTI (Kernel Page Table Isolation)"""
97
        try:
98
            with open('/sys/devices/system/cpu/vulnerabilities/meltdown', 'r') as f:
99
                status = f.read().strip()
100
                if 'Mitigation: PTI' in status:
101
                    return True, "KPTI enabled"
102
                elif 'Vulnerable' in status:
103
                    return False, "KPTI disabled - system vulnerable"
104
                else:
105
                    return True, f"Status: {status}"
106
        except:
107
            return False, "Could not determine KPTI status"
108

109
    def run_all_tests(self):
110
        """Run all mitigation tests"""
111
        tests = [
112
            ('KASLR', self.test_kaslr),
113
            ('NX/DEP', self.test_nx),
114
            ('SMEP', self.test_smep),
115
            ('SMAP', self.test_smap),
116
            ('KPTI', self.test_kpti),
117
        ]
118

119
        print("Kernel Security Mitigation Tests")
120
        print("=" * 40)
121

122
        for name, test_func in tests:
123
            passed, message = test_func()
124
            status = "PASS" if passed else "FAIL"
125
            print(f"{name:.<30} [{status}] {message}")
126
            self.results[name] = passed
127

128
        print("=" * 40)
129
        passed = sum(self.results.values())
130
        total = len(self.results)
131
        print(f"Summary: {passed}/{total} tests passed")
132

133
if __name__ == '__main__':
134
    tester = KernelMitigationTester()
135
    tester.run_all_tests()

Best Practices#

1. Defense in Depth#

1
# Layer multiple protections
2
# Boot parameters
3
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 slab_nomerge pti=on randomize_kstack_offset=on"
4

5
# Runtime hardening
6
echo "kernel.unprivileged_bpf_disabled=1" >> /etc/sysctl.conf
7
echo "kernel.kexec_load_disabled=1" >> /etc/sysctl.conf

2. Regular Updates#

1
#!/bin/bash
2
# Check for security updates
3
check_kernel_updates() {
4
    current=$(uname -r)
5
    echo "Current kernel: $current"
6

7
    # Check for CVEs
8
    echo "Checking for known vulnerabilities..."
9
    for cve in /sys/devices/system/cpu/vulnerabilities/*; do
10
        vuln=$(basename $cve)
11
        status=$(cat $cve)
12
        echo "$vuln: $status"
13
    done
14

15
    # Check for available updates
16
    if command -v apt-get >/dev/null; then
17
        apt-get update
18
        apt-cache policy linux-image-generic
19
    elif command -v yum >/dev/null; then
20
        yum check-update kernel
21
    fi
22
}

3. Monitoring and Alerting#

1
// Kernel security event monitor
2
static int security_event_notify(struct notifier_block *nb,
3
                               unsigned long action, void *data)
4
{
5
    switch (action) {
6
    case SECURITY_KERNEL_MODULE_LOAD:
7
        pr_warn("Kernel module loaded\n");
8
        break;
9
    case SECURITY_KERNEL_READ:
10
        pr_warn("Kernel memory read attempt\n");
11
        break;
12
    case SECURITY_LOCKDOWN_VIOLATION:
13
        pr_warn("Lockdown violation\n");
14
        break;
15
    }
16

17
    return NOTIFY_OK;
18
}

Conclusion#

Linux kernel hardening is an ongoing process that requires balancing security with performance and compatibility. Modern kernels provide extensive hardening options, from architectural features like KASLR and KPTI to advanced mitigations for CPU vulnerabilities.

Key takeaways:

Enable all relevant hardening options for your threat model
Keep kernels updated to get the latest security fixes
Monitor performance impact and tune accordingly
Test mitigations regularly to ensure they’re working
Use defense in depth - no single mitigation is perfect
Consider hardware features when selecting platforms

As attack techniques evolve, so do kernel defenses. Stay informed about new vulnerabilities and mitigations, and regularly review and update your hardening configuration.

Resources#

Next: Linux Kernel Exploitation and Defense - Understanding Attack Techniques and Building Robust Defenses