Skip to content

Linux

Linux Security Techniques

Synthetic Memory Protections: An update on ROP mitigations

Linux Kernel Defence Map

Features Presented by GRSecurity

  • HARDENED_USERCOPY: validates copy_from_user and copy_to_user operations to prevent invalid copies that overflow heap objects or stack buffers.
  • SLAB_FREELIST_HARDENED: obfuscates slab freelist pointers, making allocator corruption harder to exploit.
  • SLAB_FREELIST_RANDOM: randomizes freelist order for new slab pages, reducing heap-layout predictability.

AUTOSLAB

How AUTOSLAB Changes the Memory Unsafety Game

AUTOSLAB is an isolation-based approach in which each generic allocation site, such as a k*alloc* call, uses its own dedicated memory cache.

Key properties:

  1. Only objects of the same type can become adjacent.
  2. Isolating objects in different caches prevents a freed vulnerable object from being reclaimed by an unrelated spray object.

Limitations:

  1. It requires manual effort to annotate wrappers and inline them.
  2. Cross-cache attacks may still bypass the protection.

Performance: a kernel with AUTOSLAB enabled was reported to run about 0.08% slower than one without it.

Same-Type Object Reuse

Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse

POC

A representative target is a dangling file object.

Linux file objects use a dedicated slab cache.