randomization kernel protection

[pawkolor]

Hello I'm not too much familiar with IT and programing but I would ask about new feature.What advantage will be this change what Theo is doing .

https://marc.info/?l=openbsd-tech&m=149732026405941

[jggimi]

phessler@ answered this question in the comments to the article in the OpenBSD Journal.

Quote:

Before this change, all kernels would have precisely the same memory layout. If you know a single symbol, you can calculate everything else.

The purpose of this, is to defend against attacks that use that information to attack. If every machine has a unique layout per boot, then those attacks cannot succeed.

[pawkolor]

Why Theo do this now not 10 years ago.Somebody from NSA use this method to hack system.

[Trihex]

There was also this article in bleepingcomputer.com, and where I first learned about it.

OpenBSD Will Get Unique Kernels on Each Reboot

It explains the difference in KARL and ASLR — Address Space Layout Randomization, which has been implemented in Linux:

[jggimi]

For clarity, your link references KASLR - "Kernel ASLR."

ASLR is not new, having been initially developed for Linux PaX in 2001 and deployed in OpenBSD in 2003, with other operating systems following over time. (Wiki)

[Trihex]

I wasn't clear enough and going by what the article stated:

Quote:

KARL should not be confused with ASLR — Address Space Layout Randomization — a technique that randomizes the memory address where application code is executed, so exploits can't target a specific area of memory where an application or the kernel is known to run.

At any rate, it was the deciding factor in my building another OpenBSD box after not having one for several years. Having an OpenBSD box in addition to just FreeBSD boxen has its merits as well.

[handy]

On my learning of OpenBSD doing this kernel randomization thingy, I moved (after ~12 years of Linux) from an ArchLinux based distro to OpenBSD. (I had been dissatisfied with Linux due to the effects of Red Hat - in particular - on the way Linux was being developed - I really don't like systemd. I also have learned that I really don't like the OpenRC init, which I've used for quite some time - the dislike is for completely different reasons...)

OpenBSD even without the Linux compatibility kernel layer, gives me more useful application choices than Void Linux (a technically great non-systemd alternative that uses the runit init). Unfortunately Void Linux seems to me to be more of a technical experiment & hobby for a BSD guy! (He makes me feel very simple minded...)

I only mentioned Void, as it was probably my last hope of finding a systemd free Linux that was suitable. For me it isn't. Repo is too small, community is too small, development team is too small, forum moderator team is too small, & on it goes.

/rant

[sacerdos_daemonis]

Quote:

Originally Posted by handy

Unfortunately Void Linux seems to me to be more of a technical experiment & hobby for a BSD guy!

Not a surprise.

Quote:

Rolling release
Install once, update daily. Your system will always be up-to-date.

From https://www.voidlinux.eu/

That is a clear message that the system is a toy not suitable for production environments. (like Arch) I am not saying there is anything wrong with such systems, but they are meant to be toys for computer hobbyists. There is a reason they are used in few offices and on few servers.

Personally, randomised kernals do not mean much to me. The extra security is nice, but it would not be the determining factor in my choice of OS.

[handy]

@s_d I agree with you that the rolling release package management system is not really suitable for business environments.

Where Void's rolling release system is superior to Arch (or any other rolling system that I know of) is that you can not upgrade any package for over a year, & then upgrade only selected packages (the dependencies will have to be upgraded too of course) & there will be no stability problems.

If you go to 3 months & beyond with Arch (based systems) you are asking for system trouble.

The kernel randomization thing was really just what caused me to have another look at OpenBSD. It installed & ran on my main machine; does just about everything that I need, so it is my new desktop system.

I just have to get AirVPN working on it & I'll be completely satisfied.