osdev-security

What problem does it solve?

Prevents common kernel exploitation vectors by providing guidance and patterns to enforce page-level protections, supervisor-mode restrictions, stack integrity, address-space randomization, isolation of page tables, and device DMA controls so the kernel resists code injection, unauthorized memory access, and DMA-based attacks.

Core Features & Use Cases

• Page protections & W^X enforcement: Guidance for enabling NX/XD, setting PTE flags, and ensuring writable pages are never executable.
• Supervisor-mode hardening: Steps to detect and enable SMEP, SMAP, and UMIP and patterns for safe temporary user-access windows (STAC/CLAC).
• Stack and allocation safety: Stack canary initialization, __stack_chk_fail handling, and guard page recommendations.
• Address-space and entry isolation: KASLR recommendations and KPTI design for separate user/kernel page tables and syscall trampoline handling.
• DMA protection via IOMMU: VT-d and AMD-Vi references for discovering, initializing, and mapping device DMA domains to prevent device-driven memory corruption.
• Syscall safety patterns: validate user pointers, safe copy_from_user/copy_to_user patterns, exception table handling, and integer overflow checks.
• Practical checklist: A concise checklist of kernel security features to verify during boot and audits.

Quick Start

Audit and enable NX, SMEP, SMAP, KPTI, stack canaries, KASLR, and IOMMU during early kernel initialization and follow safe copy_from_user/copy_to_user patterns when accessing user memory.