Provide option to enable the kernel Electric-Fence

README.md

@@ -141,6 +141,10 @@ configuration file.
 
 - Provide the option to modify machine check exception handler.
 
+- Provide the option to enable the kernel Electric-Fence sampling-based memory
+  safety error detector which can identify heap out-of-bounds access, use-after-free,
+  and invalid-free errors.
+
 - Provide the option to use kCFI as the default CFI implementation since it may be
   slightly more resilient to attacks that are able to write arbitrary executables
   in memory (when using Linux kernel version >= 6.2).

etc/default/grub.d/40_kernel_hardening.cfg

@@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
 
+## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
+## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
+## Aims to have very low processing overhead at each sampling interval
+## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
+##
+## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+
 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.