Getting the OSSI for Linux

VM Requirements

  • PTI and KASLR protections: disabled.
  • The kernel headers installed in the VM.
  • Compatible kernels: Linux 64-bit, versions 4.1 to 4.14.9 included
  • Tested distributions:
    • Fedora 27 (kernel version 4.13)
    • OpenSUSE 15.1 (kernel version 4.12.14)
    • Debian 9 (kernel version 4.9)
    • Ubuntu 16.04 (kernel version 4.13)
  • Other untested distributions in the compatibility range:
    • OpenSUSE 15.0 (kernel version 4.12)
    • Ubuntu 17.10 (kernel version 4.13)
    • NixOS up to 18.09 (kernel version 4.14)
    • ...

Each distribution may have its specific set of patches that can hinder the OSSI retrieval. Feel free to contact support if you cannot get OSSI when using a distribution from the list above.

Disabling KASLR and PTI

You need to add the nopti and nokaslr options to your kernel command line. On most systems, the following procedure should work almost as-is:

  1. Edit the file /etc/default/grub.
  2. Find the variable GRUB_CMDLINE_LINUX_DEFAULT.
  3. Add the nopti and nokaslr options, making the line look like this: GRUB_CMDLINE_LINUX_DEFAULT="[...] nopti nokaslr"
  4. Regenerate your grub configuration:
    update-grub for Debian
    grub2-mkconfig -o /etc/grub2.cfg for CentOS
    other distributions should work in a similar way.
  5. Reboot.
  6. Verify that you have the options present in /proc/cmdline.

Installing the kernel headers

For Debian-like distributions, this should be done with a command similar to this one:
sudo apt install linux-headers-$(uname -r)

For RedHat-based distributions, the command is more like the following:
sudo dnf install kernel-devel kernel-headers

Obtaining OSSI for a scenario

This should be as simple as:

  1. Preparing the snapshot you want to use for the record.
  2. Recording your scenario.
  3. Checking the "OSSI" option at the replay step.

However, depending on the distribution you are recording, the generation of the kernel_description.json resource may fail. In that case, contact the support to get help in the process of generating it manually.

Maximizing the symbol coverage

By default, symbols are searched within the binaries executed in a scenario. These production binaries usually contain very few symbols.

If debug versions of these binaries, with more symbols, are available on the VM, it is possible to complete the Light Filesystem resource with this information. It can be done manually or using a script.