Skip to content

Secure kernel configuration

Introduction

The goal of this laboratory is to configure and harden your Linux kernel.

For this lab, you will continue working on your current buildroot2 file tree.

Question 1: Check for ASLR

We would like to determine, empirically, if our target system features ASLR for:

  1. The executable
  2. The stack
  3. The heap
  4. Shared libraries

In order to answer this question, create a small C program that displays a set of memory addresses that you deem pertinent to assess whether ASLR is enabled for the four memory regions above.

  • Compile your program using the cross-compilation toolchain for your target
  • Without using any special compiler option, is the generated file a PIE binary? Justify.
  • Add your program to Buildroot’s rootfs using the overlay mechanism (cf. slide 14 “Root filesystem customization” in Buildroot slides)
  • On your target, execute your program and observe its outputs

According to your observations, what memory regions among the four presented above have been randomized?

Explain and justify your findings.

Finally, inspect your target’s ASLR configuration in /proc. Does it match your findings above?

Question 2: Optimize your kernel size

  • What is the size, in MB (1 MB = \(1024^2\) bytes), of your current Linux kernel (the kernel image you boot on)?

  • Configure and recompile your kernel so it’s optimized for size.

  • What is the size, in MB, of your new kernel?

  • Generate a new SD card image with your new kernel

  • Log into a shell on your target and find a way to verify that your kernel is indeed optimized for size (hint: /proc/...)

Question 3: Harden your kernel

Inspect your kernel configuration, in particular all the kernel options presented during the course “Linux kernel compilation and hardening”.

  • Indicate which kernel options must be changed (except “Kernel image address randomization”), and to which value, in order to obtain the most hardened Linux kernel (even if it breaks some legacy applications)

  • Harden your kernel by configuring it with the options above

  • Compile your new kernel and generate a new SD card image

  • Make sure that your new kernel works properly by login into a shell on your target

  • Finally, on the target, validate the few options that can easily be checked

Question 4: Integration into Buildroot

Create a fragment for the Linux kernel with the changes from Question 3 so that your changes will still be applied after issuing a make clean command.

Verify that it works by running make clean followed by make. Then, reboot your target with the new SD card image to ensure it behaves as expected.