Kernel FIPS Software Integrity Test and KASLR (A32a)
One of the mandatory steps during FIPS module initialization is performing of Integrity Checking.
Usually such checking does not cause any difficulties and can be easily addressed by well-known approaches.
However, for kernel-mode software there are distinctive features that may complicate the Integrity Checking. One of them is Kernel Address Space Layout Randomization (KASLR), which is a feature used for randomizing addresses of the kernel code placement at boot time. In that case it is not possible to directly compute HMAC on protected memory area.
Within our presentation we are going to overview the following:
– what is KASLR and why it is needed
– KASLR impact on Integrity Checking
– other examples of dynamic addressing for kernel-mode software (loadable kernel modules)
– approaches that address KASLR issue and might be acceptable for FIPS certification