Bootpatch-SLR
Linux kernel implementation
Bootpatch-SLR, or BPSLR, is the Linux kernel implementation of SPSLR.
Project status
- Runtime randomization of most of
task_struct - Successful boot into userspace on Ubuntu 24.04
- Implementation in progress...
Why not RandStruct?
The Linux kernel already supports structure layout randomization through RandStruct. RandStruct is a compile-time hardening feature: selected structures are randomized while the kernel is built, and the resulting layout is fixed in the produced kernel image.
This is valuable, but it is not sufficient for the deployment model used by many distributions. A distribution typically builds one kernel image and ships that same image to many machines. If structure layouts are decided at compile time, all systems using that image share the same randomized layouts. Once the layout of that build is known, the layout is no longer instance-specific.
BPSLR investigates the stronger model: keep the kernel image distributable, but choose selected structure layouts during boot. The goal is to provide per-boot or per-machine layout diversity without requiring each user or distribution target to build a private kernel.
Current implementation
The current BPSLR prototype randomizes most of task_struct. Some fields remain fixed. These fixed fields are
required where the current compiler instrumentation must preserve compile-time
evaluability, matching the fixed-field restriction described in the SPSLR
architecture documentation.
BPSLR reuses the SPSLR pipeline almost entirely. The existing pinpoint plugin is used unchanged, including compiler
instrumentation, dependency tracking, and metadata generation. Of the selfpatch stage, only a small portion is adapted to the Linux
kernel environment, where an early boot-time patching step applies the selected
randomized layout before randomized structures are used during normal kernel
execution.
BPSLR has successfully booted into Ubuntu 24.04 using a custom Linux 6.12 kernel built from an almost-default Ubuntu kernel configuration for that release. The prototype currently demonstrates successful early boot and userspace startup with runtime-randomized kernel structure layouts, serving as an initial proof of feasibility for the approach.
Repository and development branch
BPSLR is developed in a separate Linux kernel mirror.
bpslr-dev-6.12.
git clone https://github.com/YJN-Systems/Bootpatch-SLR.git
cd linux
git switch bpslr-dev-6.12
Known issues
The following is a list of outstanding issues and work items:
- BTF is not patched yet. Kernel BTF metadata still describes the compile-time layout and must be updated or otherwise handled before BPSLR can be considered complete.
- Only part of
task_structis randomized. The current prototype randomizes most fields, but leaves fields fixed where required by compile-time layout constraints. A new pointer pin concept may allow pinpoint to restore compile-time availability of field pointers in static initializers, while marking those pointers in static data for patching. - Additional kernel structures should be randomized. The
current focus is the
task_struct; broader coverage requires auditing more structures and their initialization, ABI, debugging, and metadata interactions. - No new compiler plugins are allowed into Linux. To make its way into the kernel, BPSLR will require upstream compiler support. Eventually, the pinpoint plugin must be converted into patches for GCC and/or Clang.
- Micro-assemblers do not belong into compiler infrastructure. To place instruction pins directly at immediate operands, SPSLR uses a tiny assembler inside the pinpoint plugin. It is architecture-dependent and poorly maintainable. A new relocation type or custom operand labeling mechanism with assembler support could overcome this hurdle.
- Instrumentation correctness is hard to verify. Successful boots and user space tests serve as valuable indication for mostly correct patching, but neither guarantees that no special-case struct accesses have been missed by the compiler. A QEMU TCG plugin is currently being developed to track memory accesses to target structures at runtime. Instructions that read or write target memory but are not present on an allow-list of instrumented instructions can be identified for further investigation. This should eventually provide proper SPSLR debugging and validation infrastructure.