SPSLR

Bootpatch-SLR

Linux kernel implementation

Bootpatch-SLR, or BPSLR, is the Linux kernel implementation of SPSLR.

Project status

Research prototype: BPSLR is currently experimental and intended for evaluation and development. The prototype has successfully booted Ubuntu 24.04 with a custom Linux 6.12 kernel using an almost-default Ubuntu kernel configuration.
  • Runtime randomization of most of task_struct
  • Successful boot into userspace on Ubuntu 24.04
  • Implementation in progress...

Why not RandStruct?

The Linux kernel already supports structure layout randomization through RandStruct. RandStruct is a compile-time hardening feature: selected structures are randomized while the kernel is built, and the resulting layout is fixed in the produced kernel image.

This is valuable, but it is not sufficient for the deployment model used by many distributions. A distribution typically builds one kernel image and ships that same image to many machines. If structure layouts are decided at compile time, all systems using that image share the same randomized layouts. Once the layout of that build is known, the layout is no longer instance-specific.

BPSLR investigates the stronger model: keep the kernel image distributable, but choose selected structure layouts during boot. The goal is to provide per-boot or per-machine layout diversity without requiring each user or distribution target to build a private kernel.

Current implementation

The current BPSLR prototype randomizes most of task_struct. Some fields remain fixed. These fixed fields are required where the current compiler instrumentation must preserve compile-time evaluability, matching the fixed-field restriction described in the SPSLR architecture documentation.

BPSLR reuses the SPSLR pipeline almost entirely. The existing pinpoint and patchcompile components are used unchanged, including compiler instrumentation, dependency tracking, and metadata generation. Only the selfpatch stage is adapted to the Linux kernel environment, where an early boot-time patching step applies the selected randomized layout before randomized structures are used during normal kernel execution.

BPSLR has successfully booted into Ubuntu 24.04 using a custom Linux 6.12 kernel built from an almost-default Ubuntu kernel configuration for that release. The prototype currently demonstrates successful early boot and userspace startup with runtime-randomized kernel structure layouts, serving as an initial proof of feasibility for the approach.

Repository and development branch

BPSLR is developed in a separate Linux kernel mirror. The implementation currently lives on the spslr-dev branch.

Code location: The current development branch for BPSLR is bpslr/dev. 
git clone https://github.com/YJN-Systems/Bootpatch-SLR.git
  cd linux
  git switch spslr-dev

Known issues

The following is a list of outstanding issues and work items:

  • BTF is not patched yet. Kernel BTF metadata still describes the compile-time layout and must be updated or otherwise handled before BPSLR can be considered complete.
  • Only part of task_struct is randomized. The current prototype randomizes most fields, but leaves fields fixed where required by compile-time layout constraints. A new pointer pin concept may allow pinpoint to restore compile-time availability of field pointers in static initializers, while marking those pointers in static data for patching.
  • Additional kernel structures should be randomized. The current focus is the task_struct; broader coverage requires auditing more structures and their initialization, ABI, debugging, and metadata interactions.