Daniel López Azaña

Language

English Español

Theme

Contact

daniloaz@gmail.com

Social Media

Blog

GNU/Linux, Open Source, Cloud Computing, DevOps and more...

Differences between ASLR, KASLR and KARL

GNU/Linux , Security
ASLR concept

Following the release of the Linux Kernel 4.12, which for the first time brings the KASLR feature enabled by default, and almost simultaneously the announcement of a feature called KARL in OpenBSD, I found it interesting to clarify the differences between these security techniques , since I think that the combination of both will be very important in the future of system security as they will prevent exploiting vulnerabilities related to memory corruption (buffer-overflow).

But before entering to detail the KASLR and KARL features let’s take a look to ASLR.

ASLR

The term ASLR refers to Address Space Layout Randomization. It is a technique aimed at preventing an attacker who previously knows that a program function is vulnerable and can be exploited, to get access to it by preventing him from knowing the memory address where that function is allocated within the running process. This is possible because ASLR basically consists of randomly distributing the fundamental parts of a process (executable base, stack pointers, libraries, etc.) into the memory address space that has been assigned to it by the operating system.

Thus, an attacker will never know for sure how to access a function and will not be able to exploit it. If he tries to do it by brute force, chances are that he will crash the process and not be able to continue with his attack.

The ASLR technique has been around for a long time. It was introduced in Linux as a patch in 2001 and is part of the kernel since 2005. It was later introduced in Windows Vista and Mac OS X 10.5 (Leopard) in 2007 and finally in iOS and Android in 2011.

KASLR

What KASLR does is simply add the kernel ‘k’ to the ASLR technique seen before, ie, randomize the kernel code location in memory when the system boots. KASLR was introduced in the Linux kernel some time ago with version 3.14 (2014), but it is now in 2017 with the recent release of version 4.12 when it has been enabled by default.

Unfortunately, its effectiveness has been questioned and is still under discussion today. This is because in order to overcome the protection offered by the ASLR technique and get an attack to materialize it is required to succeed in any of the following operations:

  1. Try by brute force to find the random addresses that the attacker pursues, which will require re-running the application process every time it crashes, which will alert the system administrator.
  2. Gain certain key pointers that provide information about the process allocation in memory.

The second scenario is quite feasible in the case of operating systems, because due to some hardware configuration limitations the kernel may have limited address space available, but especially because the kernel can not change its distribution in memory throughout its operating time , ie until the next time the system is restarted a new random distribution in memory will not be performed.

Thus, at the time an attacker gets a pointer to the kernel memory distribution table he will have managed to skip this defense barrier. And that is exactly what makes it a very weak technique and the main reason for controversy, since while ASLR is a very interesting technique for application security, many authors claim that it is not appropriate to apply it at the kernel level.

KARL

And that is when the implementation ofKARL (Kernel Address Randomized Link) that has recently been released in OpenBSD emerges as a promising solution to the above problems, although it should be noted that they are of a different nature, since KARL is not based on a random distribution in memory (ASLR) and still located in the same fixed addresses of KVA (Kernel Virtual Address Space).

This fixed position meant that before KARL the kernel was always the same and was in the same place for all users. The innovation introduced by KARL is that kernel binary files are generated by distributing the kernel’s internal files in a random order each time the system is restarted or updated , so each system will work every time it is booted with a unique kernel totally different from other systems at binary level. This considerably hinders an attacker’s task when exploiting internal kernel functions, pointers, and objects.

Therefore, the main difference between KASLR and KARL is that KARL loads a different kernel at a binary level each time and places it at the same place in memory, whereas KASLR always loads the same binaries but each time at a different and random location of memory. This is the same goal, but following different approaches.

So far it may seem that KARL does not represent a great improvement over the limitations that KASLR already had, since once the distribution in memory of this random kernel is known its vulnerabilities could be exploited in the same way until the next reboot. The real news is that for the first time both techniques can be combined so that even if an attacker obtains the random memory address where the kernel starts (a process made difficult by KASLR), it can not be used to know where certain functions are located since their place in memory will also be random and will differ from system to system.

Hopefully soon we can see a KARL implementation on Linux and Windows, which will undoubtedly help improve the security of these operating systems.

More details on the recent implementation of KARL in OpenBSD here:

https://marc.info/?l=openbsd-tech&m=149732026405941&w=2
Kernel

Share this article

X.com LinkedIn Facebook WhatsApp Email
Daniel López Azaña

About the author

Daniel López Azaña

Tech entrepreneur and cloud architect with over 20 years of experience transforming infrastructures and automating processes.

Specialist in AI/LLM integration, Rust and Python development, and AWS & GCP architecture. Restless mind, idea generator, and passionate about technological innovation and AI.

Related articles

hot-button-ssh-command-widget-icon

Linux remote control from your smartphone via SSH button widgets

In this post I will tell you about an Android app that is extremely useful to run commands remotely on a Linux computer: Hot Button SSH Command Widget. This application allows you to launch conveniently any command you want on a remote computer through SSH only with the push of a button on the screen of your mobile phone or tablet. This not only will facilitate automation of repetitive tasks, but also is very interesting from the perspective of security for the same reasons I exposed in my Automatically lock/unlock your screen by Bluetooth device proximity post. It will allow you for example to lock and unlock the screen without having to type your password again and again in sight of other people.

July 15, 2017
Partitioning example with GParted

The importance of properly partitioning a disk in Linux

I am a strong supporter of simplicity and the principle that less is more, but as far as security and performance of information systems is concerned, we must be able to strike a balance between keeping things simple and exposing ourselves as little as possible to potential threats while trying to obtain the maximum performance of all system elements involved.It is a common practice that the various distributions of Linux, and even the images used to launch Linux virtual server instances as in the case of AWS AMI’s, implement by default an extremely simple partitioning scheme consisting in a single partition that covers the entire disk. It is in this only partition where the root filesystem (/) is mounted and in which all the directories that configure the file hierarchy of a Linux operating system are placed.

March 15, 2016
Still unresolved Shellshock major vulnerability affecting Bash on Linux, Unix and MAC OS X

Still unresolved Shellshock major vulnerability affecting Bash on Linux, Unix and MAC OS X

Less than two days after it was detected a vulnerability (CVE-2014-6271) that affects the Bash shell on Linux, Unix and Mac OS X, a patch was released that solves this issue only partially, which forced to report a new vulnerability (CVE-2014-7169) still pending. This issue has quickly gained a simple name by which it will be remembered for a long time: Shellshock or Shell Shock.The bug was detected by Stephane Chazelas, a Unix and Linux system administrator from Akamai when he found out that Bash erroneously interpreted as a command wich only was data within a variable when entering a specially crafted string in the command line. As a result, everything coming after that string was executed as a command or function by Bash. This allows any attacker to execute commands on your server arbitrarily. It’s true that this can not be done as root, but there are many harmful actions that can be done without root privileges.

September 26, 2014

Comments

Rott July 24, 2019
Excellent article, very clear and concise. Thanks!

Submit comment

Back to blog