KASLR
What is KASLR?
KASLRKernel Address Space Layout Randomization (KASLR) randomizes the kernel base and module load addresses each boot so attackers cannot hardcode kernel symbols for local privilege escalation.
KASLR extends ASLR into the kernel: the kernel image, modules, vmalloc area, physmap, and stacks are loaded at randomized offsets on every boot. Linux added basic KASLR in 2014, hardened by KAISER/KPTI to mitigate Meltdown, while Windows added it in Vista and refined it through Windows 10. Because the kernel typically runs in a single shared address space, leaking even one kernel pointer often breaks KASLR; researchers have demonstrated cache, TLB, prefetch, and speculative-execution side channels that recover offsets. KASLR is most useful combined with SMEP/SMAP, KPTI, kCFI, and strict /proc and dmesg restrictions to prevent address leaks.
● Examples
- 01
Linux kASLR shifting the kernel base by a random 1 GiB-aligned offset at boot.
- 02
Windows 10 randomizing ntoskrnl.exe load address per boot.
● Frequently asked questions
What is KASLR?
Kernel Address Space Layout Randomization (KASLR) randomizes the kernel base and module load addresses each boot so attackers cannot hardcode kernel symbols for local privilege escalation. It belongs to the Application Security category of cybersecurity.
What does KASLR mean?
Kernel Address Space Layout Randomization (KASLR) randomizes the kernel base and module load addresses each boot so attackers cannot hardcode kernel symbols for local privilege escalation.
How does KASLR work?
KASLR extends ASLR into the kernel: the kernel image, modules, vmalloc area, physmap, and stacks are loaded at randomized offsets on every boot. Linux added basic KASLR in 2014, hardened by KAISER/KPTI to mitigate Meltdown, while Windows added it in Vista and refined it through Windows 10. Because the kernel typically runs in a single shared address space, leaking even one kernel pointer often breaks KASLR; researchers have demonstrated cache, TLB, prefetch, and speculative-execution side channels that recover offsets. KASLR is most useful combined with SMEP/SMAP, KPTI, kCFI, and strict /proc and dmesg restrictions to prevent address leaks.
How do you defend against KASLR?
Defences for KASLR typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for KASLR?
Common alternative names include: Kernel ASLR.
● Related terms
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- appsec№ 1058
SMEP / SMAP
SMEP and SMAP are CPU features that prevent the kernel from executing or accessing user-space pages, blocking common local privilege-escalation techniques.
- appsec№ 217
Control-Flow Integrity
Control-Flow Integrity (CFI) constrains a program's indirect calls and returns to a precomputed set of legitimate targets, blocking ROP and JOP exploits that hijack control flow.
- appsec№ 670
Memory Safety
Memory safety is the property that a program never reads, writes, or executes memory it has not legitimately allocated, preventing entire classes of vulnerabilities.
- appsec№ 545
Intel CET
Intel CET (Control-flow Enforcement Technology) is a CPU feature combining a hardware shadow stack and Indirect Branch Tracking (IBT) to block ROP, JOP and COP exploits.
- appsec№ 671
Memory-Safe Languages
Memory-safe languages such as Rust, Go, Swift, Java, and C# prevent the spatial and temporal memory errors that drive most exploitable vulnerabilities in C and C++.