====== POINTER LEAKS ====== [DONE] -- Change the permissions of /dev/ksyms, as discussed in: http://mail-index.netbsd.org/tech-kern/2018/01/17/msg022960.html -- The address of a non-public section is leaked because of Meltdown, "jmp handler". This can easily be fixed by pushing the handlers into their own section. -- Replace the "%p" fmt by something relative to the kernel section (if any). Eg, from printf("%p", &some_global_var); --> "0xffffffffe38010f0" to printf("%p", &some_global_var); --> ".data.4:0x8010f0" This eases debugging and also prevents leaks if a driver prints kernel addresses as debug (I've seen that already). [DONE] -- PPPoE sends a kernel address as host unique. (What is this shit.) -- Several entry points leak kernel addresses: [DONE] - "modstat -k" [DONE] - kern.proc [DONE] - kern.proc2 [DONE] - kern.file [DONE] - kern.file2 [DONE] - kern.lwp [DONE] - sysctl_inpcblist [DONE] - sysctl_unpcblist [DONE] - sysctl_doevcnt [DONE] - sysctl_dobuf -- Be careful with dmesg. ====== RANDOMIZATION ====== [DONE] -- Randomize the PTE space. [DONE] -- Randomize the kernel main memory (VM_MIN_KERNEL_ADDRESS). [DONE] -- Randomize the direct map. [POINTLESS, BECAUSE CPU LEAKY] -- Randomize the PCPU area. ====== GENERAL ====== -- Sort the kernel sections by size, from largest to smallest, to save memory. [DONE] -- Add the "pkboot" command in the EFI bootloader. |