A new feature has been added to the OpenBSD test snapshots that creates a unique kernel every time an OpenBSD user reboots or upgrades a computer. This feature is called KARL (Kernel Address Randomized Link), which relinks its internal kernel files in a random order to generate a unique kernel binary file each time. In the current stable version, OpenBSD The kernel uses a predefined order to link and load internal files in the kernel binary, which results in the same kernel for all users.
KARL is different from ASLR
KARL was developed by Theo de Raadt. KARL generates a new kernel binary on install, upgrade and reboot. When the user boots, upgrades, and reboots the machine, the newly generated kernel will replace the existing kernel binary, and the operating system will generate a new kernel, which will be used for the next boot, upgrade, and reboot, and so on.
Don't confuse KARL with ASLR (Address Space Layout Randomization), ASLR is a technique used to randomize the memory addresses where application code executes, in order to prevent knowing the specific area where the application or kernel is running and being targeted use.
"It's still loaded in the same location in the KVA (Kernel Virtual Address Space), it's not the kernel's ASLR!" de Raadt said.
Instead, KARL generates kernel binaries with random internal structures so that exploits cannot leak or attack kernel internal functions, pointers, or objects. See below for a technical explanation.
A unique kernel is linked such that the boot assembly code remains in place, followed by random sized gaps, and then other .o files that are randomly reorganized. The consequence of this is that the distance between functions and variables is entirely new. Information disclosure of a pointer will not expose other pointers or objects. This may reduce the components of variable architectures, since the polymorphism of instruction streams is broken by nested offset changes.
"So each new kernel is unique," de Raadt said.
This feature was developed in the last two months
Development on this feature started in May, with the first discussions appearing on the OpenBSD technical mailing list in mid-June, and KARL has recently appeared in the OpenBSD 6.1 snapshot release.
"The situation today is that many people install a kernel binary from OpenBSD, and then this same kernel binary will run for six months or more. Of course, if you repeatedly boot this same kernel binary, its memory layout is also the same. This is what we have now. The committed code solves the problem," said de Raadt, "However, the -current snapshot contains some future changes that I am developing with Robert Peichaer. That change will allow you to boot into a newly linked kernel every time you reboot. superior."
KARL is an exclusive feature
This is an OpenBSD-only feature, Tiberiu C. Turbureanu, founder of Technoethical, a startup that sells privacy-focused hardware, told Bleeping Computer.
" It's not implemented in Linux ," Turbureanu said. "Looks like a great idea," and it's possible the feature will be ported to the Linux kernel.
However, Linux has just added support for KASLR (Kernel Address Space Layout Randomization). This function is to port KSLR to the kernel itself, which will load the kernel into a random memory address.
This feature was enabled by default in Linux 4.12 released last week. The difference between the two is that KARL loads different kernels to the same location, while KASLR loads the same binary to a random location. The goal is the same, but the approach is different.
There is no support for KARL in Windows, but Microsoft has used KASLR for many years. Fabian Wosar, CTO of antivirus maker Emsisoft, is hard at work adding KARL to the Windows kernel.
"This idea of OpenBSD needs to be carried forward (in the current Windows kernel guard) so that everyone can have a unique kernel binary," Wosar said in a private conversation with Bleeping Computer.
"Even if you knew the (random) kernel starting point, you couldn't use it to find a specific function to locate, and the location of the function relative to the kernel starting point varies from system to system," Wosar added.
Other operating system platforms, such as Windows and Linux , will greatly improve the security of their users if they have KARL.