KASLD answers a practical question: how effective is KASLR on this system, against an unprivileged local attacker? It derandomizes the Linux kernel's virtual and physical memory layout from an unprivileged local process — recovering the kernel text base outright where a leak or side channel allows, and otherwise narrowing it to the smallest set of placements the available evidence supports. The inference engine fuses evidence from dozens of independent techniques with the architecture's known invariants, narrowing the kernel's placement to a residual window — reported as the surviving slot count and bits of entropy: a measure of how much protection KASLR actually retains. On a fully-patched modern kernel — where x86-64 side channels are mitigated and no direct kernel-text leak survives — full recovery is often impossible, but the constraint set is rarely empty. On architectures without KASLR, the engine locates the bootloader-chosen load address.
Supports:
- x86 (i386+, amd64)
- ARM (armv6, armv7, armv8, aarch64)
- MIPS (mipsbe, mipsel, mips64el)
- PowerPC (ppc, ppc64)
- RISC-V (riscv32, riscv64)
- LoongArch (loongarch64)
- s390
sudo apt install libc-dev make gcc binutils git
git clone https://github.com/bcoles/kasld
cd kasld
make
./build/<arch>/kasldThe build/<arch>/ directory is self-contained and can be deployed to a
target system:
build/<arch>/
kasld <- run this
components/ <- leak components
Fully-patched systems with kernel.dmesg_restrict=1,
kernel.kptr_restrict=1, and kernel.perf_event_paranoid=2 (or higher)
return limited results. For testing, the
extra/weaken-kernel-hardening script
can temporarily relax these settings (requires root).
The default text mode prints an answer-first overview:
KASLD 0.3.1-dev -- Kernel ASLR derandomization
Target: x86_64 / 6.15.6
Running 83 components (10 experimental skipped; use -x to enable)...
[####################] 100% 83/83 5.3s
Virtual image base 0xffffffff83800000 slide +0x2800000
Physical image base not derandomized ~9 bits
0x0000000001000000 - 0x000000003c20ca00 (473 x 2.0 MiB)
Direct map base >= 0xffff800000000000
Phys/Virt Coupling physical and virtual text randomize independently
Leaks (1):
virt kernel text 0xffffffff83800000 (prefetch)
[-v: detailed results, memory map, system info] [-H: hardening assessment]
-v adds the full verbose readout (banner, system-config block,
per-component logs, KASLR analysis, memory-layout maps). -j emits
machine-readable JSON. -1 emits a single shell-pipeable line. -m
formats for issue trackers. -H appends a hardening assessment in any
mode.
See docs/usage.md for the full CLI, output-mode details, explain mode, and hardening assessment.
New to KASLD? Read in order: docs/kaslr.md (what KASLR is and what it randomizes) → docs/architecture.md → A leak from end to end (how KASLD turns one leak into an answer) → CONTRIBUTING.md (add a leak component or inference rule). The table below is the per-audience reference.
| Audience | Document |
|---|---|
| End user / operator | docs/usage.md — CLI, output modes, explain mode, hardening assessment |
| Exploit developer | docs/exploitation.md — pwntools template, ksymoff, function-offset patterns |
| Component / rule author | CONTRIBUTING.md — writing a component or rule, emitter API, exit codes, metadata |
| Architecture / internals | docs/architecture.md — the inference engine, data-flow seams, tagged-line protocol, cross-region derivation |
| Test runner / CI | docs/testing.md — host tests, replay fixtures, cross-arch under qemu-user, coverage |
| Reproducibility | docs/reproducibility.md — independent verification: on the local kernel, live across architectures, or over the captured corpus |
| KASLR primer | docs/kaslr.md — per-arch KASLR history, default text base, vmsplit, FG-KASLR |
| Bypass techniques | docs/bypass-techniques.md — filesystem leaks, side-channels, syscall / ioctl leaks, weak entropy, patched CVEs, arbitrary read |
A compiler which supports the _GNU_SOURCE macro is required due to
use of non-portable code (MAP_ANONYMOUS, getline(), popen(), …).
make # build kasld + components
make run # build and run
make test # build and run unit tests
make cross # cross-compile for all supported architectures
make install # install to /usr/local (PREFIX=/usr/local)
make uninstall # remove installed files
make clean # remove build directory
make help # show all targets and options
KASLD can be cross-compiled with make by specifying the appropriate
compiler (CC). Static linking is applied automatically when cross-compiling:
make CC=aarch64-linux-musl-gcc
Build all supported cross-compilation targets (toolchains must be in PATH):
make cross
KASLD is MIT licensed. It incorporates modified third-party code snippets and proof-of-concept code; those snippets may carry different license terms. See the reference URLs in each file's comment header for credits and license details.