From 2b237039cf1db66100f7f0bb4880981ee0489abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 13 Jul 2022 22:25:53 +1000 Subject: [PATCH] Update README.md --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index d7c9ea4..76ef0fe 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ arbitrary code execution in kernel mode. * The bits of entropy used for mmap ASLR are increased, therefore improving its effectiveness. +* Randomises the addresses for mmap base, heap, stack, and VDSO pages. + * Prevents unintentional writes to attacker-controlled files. * Prevents common symlink and hardlink TOCTOU races. @@ -54,19 +56,13 @@ prevents writing potentially sensitive contents of memory to disk. ### Boot parameters -Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf` -configuration file. +Boot parameters are outlined in configuration files located in the +`etc/default/grub.d/` directory. * Slab merging is disabled which significantly increases the difficulty of heap exploitation by preventing overwriting objects from merged caches and by making it harder to influence slab cache layout. -* Sanity checks are enabled which add various checks to prevent corruption -in certain slab operations. - -* Redzoning is enabled which adds extra areas around slabs that detect when -a slab is overwritten past its real size which can help detect overflows. - * Memory zeroing at allocation and free time is enabled to mitigate some use-after-free vulnerabilities and erase sensitive information in memory. @@ -83,10 +79,15 @@ are a potential target for ROP. * The kernel panics on oopses to thwart certain kernel exploits. +* Enables randomisation of the kernel stack offset on syscall entries. + * All mitigations for known CPU vulnerabilities are enabled and SMT is disabled. -* IOMMU is enabled to prevent DMA attacks. +* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU +TLB invalidation so devices will never be able to access stale data contents. + +* Distrust the 'randomly' generated CPU and bootloader seeds. ### Blacklisted kernel modules