It’s been almost two years since Intel released FGKASLR fixes to improve Linux kernel security. While this work on Finer Grained / Function Granular KASLR has been stalled for a year, in recent months work on the latter has been relaunched and in 2022 it looks like this security is on the way to being implemented.
FGKASLR is an advance on the randomization of the kernel address space layout widely used today by the Linux kernel to thwart attacks based on known kernel positions in memory. Rather than just randomizing the base address which can be determined with enough guesswork or leaks, FGKASLR will randomize the layout up to a code function level.
As a result, FGKASLR is much more robust in protecting systems against attacks based on known memory locations. FGKASLR tests show only a minor impact on the performance of the start-up time of the reorganization / randomization of functions. Sent last week, the FGKASLR v9 fixes. The updated fixes enable sections of assembly function by default, but can be disabled now if desired, deduplication of more code, always random printing of kallsyms for unprivileged users, even though FGKASLR is disabled, and other code improvements.
FGKASLR is ideal for Linux security but may have known implications for performance and kernel size.
If all goes well, we’ll see this Intel-led open source security feature land in a Linux kernel in the near future. Already in Linux 5.16 there are some first preparations for FGKASLR.