• (K)ASLR is enabled with https://github.com/vyos/vyos-kernel/blob/35c51d3b30f29110aab12ade5f11f928c68951ec/arch/x86/configs/x86_64_vyos_defconfig#L405
• DEP

vyos@vyos:~$ show system kernel-messages | grep "Execute Disable" 
NX (Execute Disable) protection: active

• RELRO there's some info in the Debian Wiki but it reports permission denied: https://wiki.debian.org/Hardening

@c-po I have access to it, let me know if you need a pdf out of it.

@fromport
These mitigation techniques are all turned on/off via compiler flags and most of them are enabled enabled per default. ASLR on the kernel side is enabled since 2.6.25.

Your paper by the way is focusing on MIPS, an arch we currently do not support actively.

An easy start would be adding

export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND  = -Wall -pedantic
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed -Wl,-z,-defs

to debian/rules to harden our C programs (which is currently only VyShim and XDP). hardening=+all passes PIE and bindnow linker options to GCC.

Here are some kernel features we need to consider:

1. Disable kexec. The user should never need to swap the kernel.
2. Restrict access to /proc/kallsyms for regular users, which makes sense since we're using a custom kernel.
3. Set hidepid to prevent regular users from seeing process IDs. Might be too intrusive.
4. Harden BPF JIT. Might interfere with XDP. Testing necessary.
5. Set kernel lockdown mode. Disables kexec and unprivileged BGP commands. Again, might interfere with XDP.