Linked by Thom Holwerda on Wed 14th Jun 2017 22:15 UTC, submitted by Ryan Freeman
OpenBSD Theo de Raadt unveiled and described an interesting new kernel security feature: Kernel Address Randomized Link.

Over the last three weeks I've been working on a new randomization feature which will protect the kernel.

The situation today is that many people install a kernel binary from OpenBSD, and then run that same kernel binary for 6 months or more. We have substantial randomization for the memory allocations made by the kernel, and for userland also of course.

However that kernel is always in the same physical memory, at the same virtual address space (we call it KVA).

Improving this situation takes a few steps.

Permalink for comment 645625
To read all comments associated with this story, please click here.
RE: would give it a try
by joekiser on Thu 15th Jun 2017 14:04 UTC in reply to "would give it a try"
joekiser
Member since:
2005-06-30

Give it a try. Broadwell has been working on OpenBSD for a year and a half now. Broadwell is the most recent hardware I'll buy for that exact reason (i3, i7 NUC, X250 fwiw).

There's no hardware configuration or tweaking needed at all. Install, reboot, and you have Xorg running with xenodm to login. It's the simplest operating system to use.

It's the newer Intel releases that are still a work in progress.

Reply Parent Score: 2