Bootpatch-SLR

Linux kernel implementation

Bootpatch-SLR, or BPSLR, is the Linux kernel implementation of SPSLR.

Project status

Research prototype: BPSLR is currently experimental and intended for evaluation and development. The prototype has successfully booted Ubuntu 24.04 with a custom Linux 6.12 kernel using an almost-default Ubuntu kernel configuration.
  • Runtime randomization of most of task_struct
  • Successful boot into userspace on Ubuntu 24.04
  • Implementation in progress...

Why not RandStruct?

The Linux kernel already supports structure layout randomization through RandStruct. RandStruct is a compile-time hardening feature: selected structures are randomized while the kernel is built, and the resulting layout is fixed in the produced kernel image.

This is valuable, but it is not sufficient for the deployment model used by many distributions. A distribution typically builds one kernel image and ships that same image to many machines. If structure layouts are decided at compile time, all systems using that image share the same randomized layouts. Once the layout of that build is known, the layout is no longer instance-specific.

BPSLR investigates the stronger model: keep the kernel image distributable, but choose selected structure layouts during boot. The goal is to provide per-boot or per-machine layout diversity without requiring each user or distribution target to build a private kernel.

Current implementation

The current BPSLR prototype randomizes most of task_struct. Some fields remain fixed. These fixed fields are required where the current compiler instrumentation must preserve compile-time evaluability, matching the fixed-field restriction described in the SPSLR architecture documentation.

BPSLR reuses the SPSLR pipeline almost entirely. The existing pinpoint plugin is used unchanged, including compiler instrumentation, dependency tracking, and metadata generation. Of the selfpatch stage, only a small portion is adapted to the Linux kernel environment, where an early boot-time patching step applies the selected randomized layout before randomized structures are used during normal kernel execution.

BPSLR has successfully booted into Ubuntu 24.04 using a custom Linux 6.12 kernel built from an almost-default Ubuntu kernel configuration for that release. The prototype currently demonstrates successful early boot and userspace startup with runtime-randomized kernel structure layouts, serving as an initial proof of feasibility for the approach.

Repository and development branch

BPSLR is developed in a separate Linux kernel mirror.

Code location: The current development branch for BPSLR is bpslr-dev-6.12.
git clone https://github.com/YJN-Systems/Bootpatch-SLR.git
  cd linux
  git switch bpslr-dev-6.12

Known issues

The following is a list of outstanding issues and work items:

  • BTF is not patched yet. Kernel BTF metadata still describes the compile-time layout and must be updated or otherwise handled before BPSLR can be considered complete.
  • Only part of task_struct is randomized. The current prototype randomizes most fields, but leaves fields fixed where required by compile-time layout constraints. A new pointer pin concept may allow pinpoint to restore compile-time availability of field pointers in static initializers, while marking those pointers in static data for patching.
  • Additional kernel structures should be randomized. The current focus is the task_struct; broader coverage requires auditing more structures and their initialization, ABI, debugging, and metadata interactions.
  • No new compiler plugins are allowed into Linux. To make its way into the kernel, BPSLR will require upstream compiler support. Eventually, the pinpoint plugin must be converted into patches for GCC and/or Clang.
  • Micro-assemblers do not belong into compiler infrastructure. To place instruction pins directly at immediate operands, SPSLR uses a tiny assembler inside the pinpoint plugin. It is architecture-dependent and poorly maintainable. A new relocation type or custom operand labeling mechanism with assembler support could overcome this hurdle.
  • Instrumentation correctness is hard to verify. Successful boots and user space tests serve as valuable indication for mostly correct patching, but neither guarantees that no special-case struct accesses have been missed by the compiler. A QEMU TCG plugin is currently being developed to track memory accesses to target structures at runtime. Instructions that read or write target memory but are not present on an allow-list of instrumented instructions can be identified for further investigation. This should eventually provide proper SPSLR debugging and validation infrastructure.