U-Kees Cook, owayesakuba ngumlawuli wenkqubo eyintloko ye-kernel.org kunye nenkokeli yeQela loKhuseleko lwe-Ubuntu, ngoku esebenza kuGoogle ekukhuseleni i-Android kunye ne-ChromeOS, upapashe iseti yeepetshi ukwenza i-randomize offsets kwi-kernel stack xa kusetyenzwa iifowuni zenkqubo. Iipetshi ziphucula ukhuseleko lwe-kernel ngokuguqula ukubekwa kwesitaki, ukwenza uhlaselo kwisitaki lube nzima kakhulu kwaye lube yimpumelelo encinci. Ukuphunyezwa kokuqala kuxhasa i-ARM64 kunye ne-x86/x86_64 iprosesa.
Umbono wokuqala wepatch yeyeprojekthi yePaX RANDKSTACK. Ngo-2019, u-Elena Reshetova, injineli evela kwi-Intel, yazama ukwenza ukuphunyezwa kwale ngcamango ilungele ukufakwa kwi-kernel ye-Linux. Kamva, inyathelo lithatyathwe nguKees Cook, owathi thaca ukuphunyezwa okufanelekileyo kwinguqulelo ephambili yekernel. Iipatches zicetywa ukuba zifakwe njengenxalenye ye-5.13 yokukhululwa. Indlela iya kucinywa ngokungagqibekanga. Ukuyenza, i parameter yomyalelo we kernel “randomize_kstack_offset=on/off” kunye neCONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT useto luyacetywa. I-overhead yokwenza imo iqikelelwe malunga ne-1% yelahleko yokusebenza.
Undoqo wokhuseleko olucetywayo kukukhetha i-stack offset engahleliweyo kwifowuni nganye yenkqubo, eyenza kube nzima ukumisela i-stack layout kwimemori, nasemva kokufumana idatha yedilesi, ekubeni ifowuni yenkqubo elandelayo iya kutshintsha idilesi yesiseko ye-stack. Ngokungafani nokuphunyezwa kwe-PaX RANDKSTACK, kwiipatches ezicetywayo ukuba zifakwe kwi-kernel, i-randomization iyenziwa kungekhona kwinqanaba lokuqala (cpu_current_top_of_stack), kodwa emva kokumisela i-pt_regs isakhiwo, okwenza kube nzima ukusebenzisa iindlela ezisekelwe kwi-ptrace ukumisela i-offset engahleliweyo. ngexesha elide lenkqubo umnxeba.
umthombo: opennet.ru