Skip to main content

Kernel and Memory Hardening

Estimated reading: 2 minutes 68 views

Policies that mitigate low-level exploits and memory corruption vulnerabilities.

  • Memory Sanitization: The system immediately fills freed memory pages and heap objects with zeroes, preventing use-after-free attacks and data leaks from uninitialized memory.
  • Kernel Exploit Mitigation:
    • Disable Slab Merging: Prevents the kernel from merging memory slabs of similar size, making heap-corruption exploits significantly harder.
    • Page Table Isolation (PTI): Mitigates speculative execution attacks such as Meltdown.
    • Randomize Kernel Stack Offset: Introduces randomness to the kernel stack offset on every system call to thwart memory prediction attacks.
    • Restrict Kernel Pointers: Hides kernel pointer addresses from non-privileged processes to prevent information leaks.
  • Attack Surface Reduction:
    • Disable Virtual Syscalls: Disables vsyscalls to reduce the attack surface for specific exploits and improve performance.
    • Enable BPF JIT Hardening: Hardens the Berkeley Packet Filter (BPF) Just-in-Time (JIT) compiler to mitigate JIT spraying attacks.
    • Restrict SysRq Key: We restrict the SysRq key to allow only safe reboot sequences (REISUB) while blocking dangerous debugging commands.
  • Disable Obscure Network Protocols:
    • We actively blacklist over 15 rare or legacy network protocols, such as DCCP, SCTP, RDS, TIPC, AppleTalk, and IPX, to prevent the kernel from loading them. Attackers frequently target these unused modules due to their lower code quality and historical vulnerabilities.
  • Enable multiple LSMs (Linux security modules), such as Capability, AppArmor, Yama, BPF, and Landlock.
Kernel and Memory Hardening - PreviousIdentity and Access ManagementNext - Kernel and Memory HardeningNetwork Security and Privacy

Recently Viewed articles

© 2017-2026 Some Rights Reserved. Made with by Nitrux Latinoamericana S.C.