If this threat model presupposes non-root access, wouldn’t it be enough to just harden linux file access rights? Making system map no longer readable by non-root users? That may even be something upstream might be more easily convinced of doing by default since it would be a great balance between security and debugging?
madaidan via Whonix Forum:>
I think most malware would attempt to look around certain files on the system instead of hardcoding information or getting them from another source.
An attacker could just run
cd /var/cache/apt/archive; ar x linux-image-$(uname -r).deb; tar -xf data.tar.xz; cat boot/System.map-$(uname-r)
That’s not a great since the kernel package may or may note be still inside folder /var/cache/apt/archive.
There’s not that many kernel versions. Collecting various boot/System.map-$(uname-r) files (probably just need a few lines of these) and hardcoding into malware does not seem hard to me.
Instead of spending time on manually getting the information for multiple different kernels.
It always ends in the kernel version so you can just use
But that is only known after the kernel was installed and booted. So mount to /dev/null and similar tricks cannot be applied beforehand so it gets never really written.