KERNHEAP is an ever-evolving project to implement pragmatic, effective protections for the Linux kernel dynamic memory allocators. Its objective is to deter any potential abuse of the SLAB layer, preventing reliable exploitation of known and unknown kernel security flaws which rely on dynamically allocated buffers and other programmatic memory-impacting interfaces (ex. vmalloc). It also offers protection for the IPC subsystem and linked lists.
Documentation
A detailed paper has been published in Phrack Magazine, issue 66. It encompasses most of the intrinsic details of the KERNHEAP implementation for the Linux 2.6 kernel, as well as additional related topics. KERNHEAP itself operates without requiring intervention of the user, and it is configurable only at compile time. The kernel configuration is well documented, but for any further explanations, please refer to the paper.
License
KERNHEAP is distributed under the terms of the GNU General Public License (GPL).
Features
The following list describes most of the features implemented in KERNHEAP:
- Supported features for SLUB, SLAB and SLOB:
-
- Double free protection (through different methods).
- Freelist corruption protection (during cache and slab destruction).
- Use-after-free protection. Accesses to the "pit" area (unmapped region located in top memory) due to uninitialized data or pointer corruption are detected and reported, terminating the offending task).
- Cache and slab meta-data protection.
- IPC internals hardening to prevent local abuse (verification of shmid_kernel function pointers integrity, use of an isolated cache, etc).
- vmalloc cache isolation for vmap areas, and list walking protection.
- SAFELIST: hardening of the doubly linked list interfaces:
-
- Safe (un)linking.
- Verification of pointer correctness in other list operations.
Download
The patch and other files are available at https://www.subreption.com/kernheap/patches.