Defeating Kaslr by Doing Nothing at All
19 days ago
- #Linux Security
- #KASLR
- #Kernel Exploitation
- Seth Jenkins researched Pixel kernel exploitation and found an arbitrary write primitive without a KASLR leak.
- The Linux linear mapping is a direct 1:1 representation of physical memory in the kernel virtual address space.
- PHYS_OFFSET and PAGE_OFFSET are static values, making phys_to_virt calculations predictable.
- Pixel phones decompress the kernel at the same physical address (0x80010000) every boot, making kernel virtual addresses static.
- The linear mapping is not randomized on arm64, simplifying kernel exploitation.
- Even on devices with kernel physical address randomization, linear mapping non-randomization weakens security.
- Seth Jenkins demonstrated the reliability of placing data at known kernel virtual addresses using physical memory spraying.
- Both lack of linear map randomization and static kernel physical addresses are considered intended behavior by Linux and Google.
- KASLR remains important for mitigating remote kernel exploitation, despite its limitations in local contexts.
- Future improvements could include randomizing the linear map, increasing physical page allocation entropy, and randomizing kernel physical addresses.