- An analysis of TCP secure SN generation in Linux and its privacy issues
- Tirdad kernel module for random ISN generation
- Tor Project bug report: Add research idea for Linux TCP Initial Sequence Numbers may aid correlation
- research paper: Hot or not: revealing hidden services by their clock skew
- Whonix ticket
Packing is done. Available from all Whonix repositories. Testers wanted! To install:
sudo apt update
sudo apt install tirdad
Description and package source code:
- Enhanced loader. More sanity tests.
- Use
/dev/random
instead of openssl (/dev/urandom
as per /dev/random vs. /dev/urandom - #2 by HulaHoop). - Code simplification.
Why should tirdad be loaded as early as possible? Currently tirdad is loaded before networking comes up through systemd-modules-load.service.
Verified in the logs, it shows tirdad loads before sysinit. This is long before even networking-pre is reached. Systemd begins, and then almost immediately after, tirdad (and a few other modules) are inserted.
Since tirdad’s sole concern is the randomization of the ISN, as long as it starts before a network connection is established there is no issue (which it does) I do not think having it start any earlier than it does gives any advantage or benefit.
Just to make sure TCP ISNs are always random no matter what.
Root could undo that though which isn’t good for untrusted root.
Also, compiling tirdad in the kernel source tree will cause the module to be signed with CONFIG_MODULE_SIG_ALL
so we don’t need any dkms hooks for it or anything.
Or, compiling it as built-in will make it not need to be signed at all.
If the same can be done for LKRG, only vbox additions will be left.
Root might indeed install some package which then breaks
systemd-modules-load.service or something.
There is a minor issue, unwanted confusing error message related to systemd-modules-load.service
/ /usr/lib/modules-load.d/30_tirdad.conf
.
Setting up linux-image-4.19.0-8-amd64 (4.19.98-1) …
I: /vmlinuz is now a symlink to boot/vmlinuz-4.19.0-8-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.19.0-8-amd64
/etc/kernel/postinst.d/30_remove-system-map:
Deleting system.map files…
removed ‘/boot/System.map-4.19.0-8-amd64’
Done. Success.
/etc/kernel/postinst.d/dkms:
Job for systemd-modules-load.service failed because the control process exited with error code.
See “systemctl status systemd-modules-load.service” and “journalctl -xe” for details.
Job for systemd-modules-load.service failed because the control process exited with error code.
See “systemctl status systemd-modules-load.service” and “journalctl -xe” for details.
After APT finished however tirdad is properly installed and systemd-modules-load.service
status is OK too.
It is this DKMS bug:
Added a comment: