grsecurity forums

[geoffreyd]

Hello,

For a student project, I am currently trying to get Volatility to work on a patched kernel with the RANDSTRUCT flag activated.

On the documentation related to that Randomize layout of sensitive kernel structures feature, I read : "will prevent the use of forensic tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation)."
When you say that it's possible if the kernel source tree isn't cleaned after installation, do you know how one should proceed or is it just to say that it remains theoretically possible ?
I was thinking about building a specific Linux Profile for that kernel ( https://code.google.com/p/volatility/wi ... yForensics ) somehow using the source tree, does that sound possible to you ?

Thanks in advance.

[PaX Team]

there're two compile time generated files (in the object dir) that contain information about the random seed used by the gcc plugin:
- tools/gcc/randomize_layout_seed.h contains the actual (secret) value that seeds the PRNG used during compilation,
- include/generated/randomize_layout_hash.h. has a hash of the seed that is in turn used by the module versioning machinery to prevent loading incompatible modules (so it's a public value).

now if you have the secret seed value then you can simply plug it into the gcc plugin and observe the shuffling it does to the affected structures (you can print them out from the plugin itself or dump them from debug info) and thus recover the randomized layouts the easy way (the hard way is to recover the layout information directly by analysing disassembly for structure field accesses). note that the intended/proper use of this feature means that the secret seed value stays actually secret (ideally it's destroyed after compiling the kernel and all out-of-tree modules, if any).