TCP ISN CPU Information Leak Protection - tirdad

Patrick · October 7, 2024, 3:37am

Tickets:

Patrick · October 8, 2024, 4:51am

github.com/0xsirus/tirdad

Use kernel live patching API

0xsirus:master ← ArrayBolt3:master

opened 09:33PM - 07 Oct 24 UTC

ArrayBolt3

+24 -275

Context: https://github.com/0xsirus/tirdad/issues/23 This patch takes advanta…ge of Linux's built-in kernel livepatching API to replace the `secure_tcp_seq` and `secure_tcpv6_seq` functions in the kernel with tirdad's more secure versions. This has several advantages over directly modifying the page tables: * It's simpler - one no longer has to know how the page table system works to understand what's happening when reading through the code. (I tried to read through the page table modding code and it was... over my head.) * It's less dangerous. The existing page table modification code could theoretically end up causing problems if the kernel's page table system changes how it works under the hood. Using kernel live patching allows all of that potential future work to be offloaded onto whoever maintains the livepatching subsystem for Linux. * It makes the module a lot smaller. This is useful for security-sensitive distros like Kicksecure, since it means there's less code that could potentially have bugs or vulnerabilities. There are two potential disadvantages I can see with this approach, both of which I don't think are that big of a problem: * Removing tirdad from a running system becomes slightly more difficult. One has to manually "turn off" the patch using `echo 0 |sudo tee /sys/kernel/livepatch/tirdad/enabled` before `sudo rmmod tirdad` will work. This isn't that hard to do though. * If live patching is disabled in the kernel, tirdad will no longer be installable. IMO this isn't really a problem since a distro or individual who disables kernel livepatching explicitly does *not* want kernel functions to be hot-swapped in this fashion, which is what tirdad does. I've tested this patch on Debian Trixie (testing), and it appears to work quite well.

github.com/0xsirus/tirdad

Return random 32-bit numbers in ISN generation routines

0xsirus:master ← ArrayBolt3:generator-safety

opened 10:06PM - 07 Oct 24 UTC

ArrayBolt3

+4 -59

Context: https://github.com/0xsirus/tirdad/issues/23 This PR makes the ISN ge…neration routines in tirdad simpler and potentially more secure. The algorithm tirdad uses for generating ISNs essentially returns radically different pseudorandom numbers every time a new ISN is produced, regardless of what input is fed into the ISN generator functions. However, the input into those ISN generator functions is still taken into account, using an algorithm similar to what is already used in the Linux kernel. The main difference is that rather than using a static key with the data and adding on a timestamp, tirdad's algorithm uses an iteratively modified key. This is potentially dangerous, as an attacker could potentially analyze the returned ISNs and use them to infer the state of the underlying SipHash key (assuming that the key modification routine has a vulnerability). With this info, an attacker could predict which ISNs the victim would use next when interacting with any attacker-controlled server. With this info, an attacker could then infer what activities a victim took without having to analyze the victim's network traffic, by simply comparing any received ISN numbers with predicted ones and determining how many numbers were "skipped". More skipped numbers = the victim is more active online, less skipped numbers = the victim is potentially less active online. From a non-malicious user's point of view, all tirdad does is return a pseudorandom value in place of a normally generated ISN. With this being the case, there's no need to integrate any of the input into the ISN generator functions into the finished calculation. Rather than doing all of the math to hash the source and destination ports and addresses with an iteratively changed key, all that's needed is to spit out a random 32-bit value each time a new ISN is needed. To a non-malicious entity, this won't cause any problems that tirdad's current approach doesn't already cause, and to a malicious entitiy, it will entirely mitigate the above attack (provided of course Linux's built-in RNG doesn't have a vulnerability, but that's outside of tirdad's scope). This PR does exactly that - the ISN generation routines are set to ignore all input and generate random 32-bit values. I have tested this on Debian Testing (trixie) and it appears to work well.

Patrick · October 8, 2024, 5:06am

Linux kernel:
[PATCH] net: add option for using randomized TCP ISNs

The patch requests introduces the tcp_rand_isn kernel parameter:

Enables randomized TCP Initial Sequence Number (ISN) generation. When disabled, the kernel will use an algorithm for ISN generation that provides better performance at the cost of potentially leaking timing information over the network. When enabled, TCP ISNs will be randomly generated, providing better security with a potential performance hit.

The tcp_rand_isn kernel parameter would be a replacement for the kloak kernel module.

Patrick · October 8, 2024, 7:14am

Upstream version as of tirdad/module/tirdad.c at 4720311ff21c3f71cc5e3670caf5dfde2b31c5f8 · 0xsirus/tirdad · GitHub - 433 lines of code.
Rewrite by @arraybolt3 tirdad/module/tirdad.c at rewrite · Kicksecure/tirdad · GitHub - 127 lines of code.

Patrick · October 12, 2024, 8:39am

The new version is now in the testers repository.

nurmagoz · October 14, 2024, 2:06am

Fixed after upgraded tirdad to latest stable version

[user ~]% sudo apt -t bookworm-backports install linux-image-$(dpkg --print-architecture) linux-headers-$(dpkg --print-architecture)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  linux-headers-6.10.11+bpo-amd64 linux-headers-6.10.11+bpo-common
  linux-image-6.10.11+bpo-amd64 linux-kbuild-6.10.11+bpo linux-libc-dev
Suggested packages:
  linux-doc-6.10 debian-kernel-handbook
The following NEW packages will be installed:
  linux-headers-6.10.11+bpo-amd64 linux-headers-6.10.11+bpo-common
  linux-image-6.10.11+bpo-amd64 linux-kbuild-6.10.11+bpo
The following packages will be upgraded:
  linux-headers-amd64 linux-image-amd64 linux-libc-dev
3 upgraded, 4 newly installed, 0 to remove and 80 not upgraded.
Need to get 117 MB of archives.
After this operation, 175 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-headers-6.10.11+bpo-common all 6.10.11-1~bpo12+1 [10.6 MB]
Get:2 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-image-6.10.11+bpo-amd64 amd64 6.10.11-1~bpo12+1 [101 MB]
Get:3 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-kbuild-6.10.11+bpo amd64 6.10.11-1~bpo12+1 [1,146 kB]
Get:4 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-headers-6.10.11+bpo-amd64 amd64 6.10.11-1~bpo12+1 [1,437 kB]
Get:5 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-headers-amd64 amd64 6.10.11-1~bpo12+1 [1,412 B]
Get:6 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-image-amd64 amd64 6.10.11-1~bpo12+1 [1,476 B]
Get:7 tor+https://deb.debian.org/debian bookworm-backports/main amd64 linux-libc-dev all 6.10.11-1~bpo12+1 [2,400 kB]
Fetched 117 MB in 35s (3,299 kB/s)                                             
Selecting previously unselected package linux-headers-6.10.11+bpo-common.
(Reading database ... 120783 files and directories currently installed.)
Preparing to unpack .../0-linux-headers-6.10.11+bpo-common_6.10.11-1~bpo12+1_all
.deb ...
Unpacking linux-headers-6.10.11+bpo-common (6.10.11-1~bpo12+1) ...
Selecting previously unselected package linux-image-6.10.11+bpo-amd64.
Preparing to unpack .../1-linux-image-6.10.11+bpo-amd64_6.10.11-1~bpo12+1_amd64.
deb ...
Unpacking linux-image-6.10.11+bpo-amd64 (6.10.11-1~bpo12+1) ...
Selecting previously unselected package linux-kbuild-6.10.11+bpo.
Preparing to unpack .../2-linux-kbuild-6.10.11+bpo_6.10.11-1~bpo12+1_amd64.deb .
..
Unpacking linux-kbuild-6.10.11+bpo (6.10.11-1~bpo12+1) ...
Selecting previously unselected package linux-headers-6.10.11+bpo-amd64.
Preparing to unpack .../3-linux-headers-6.10.11+bpo-amd64_6.10.11-1~bpo12+1_amd6
4.deb ...
Unpacking linux-headers-6.10.11+bpo-amd64 (6.10.11-1~bpo12+1) ...
Preparing to unpack .../4-linux-headers-amd64_6.10.11-1~bpo12+1_amd64.deb ...
Unpacking linux-headers-amd64 (6.10.11-1~bpo12+1) over (6.1.112-1) ...
Preparing to unpack .../5-linux-image-amd64_6.10.11-1~bpo12+1_amd64.deb ...
Unpacking linux-image-amd64 (6.10.11-1~bpo12+1) over (6.1.112-1) ...
Preparing to unpack .../6-linux-libc-dev_6.10.11-1~bpo12+1_all.deb ...
Unpacking linux-libc-dev (6.10.11-1~bpo12+1) over (6.1.112-1) ...
Setting up linux-libc-dev (6.10.11-1~bpo12+1) ...
Setting up linux-image-6.10.11+bpo-amd64 (6.10.11-1~bpo12+1) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-6.1.0-26-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-6.1.0-26-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-6.10.11+bpo-amd64
I: /initrd.img is now a symlink to boot/initrd.img-6.10.11+bpo-amd64
/etc/kernel/postinst.d/30_remove-system-map:
INFO: Deleting system.map files...
INFO: removed '/boot/System.map-6.10.11+bpo-amd64'
INFO: Done. Success.
/etc/kernel/postinst.d/dkms:
dkms: running auto installation service for kernel 6.10.11+bpo-amd64.
Sign command: /lib/modules/6.10.11+bpo-amd64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub

Building module:
Cleaning build area...
make -j2 KERNELRELEASE=6.10.11+bpo-amd64 all...
Signing module /var/lib/dkms/tirdad/0.1/build/module/tirdad.ko
Cleaning build area...

tirdad.ko.xz:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/6.10.11+bpo-amd64/updates/dkms/
depmod.....
dkms: autoinstall for kernel: 6.10.11+bpo-amd64.
/etc/kernel/postinst.d/dracut:
dracut: Generating /boot/initrd.img-6.10.11+bpo-amd64
dracut: Disabling early microcode, because kernel does not support it. CONFIG_MI
CROCODE_[AMD|INTEL]!=y
dracut: dracut module 'nvmf' depends on 'network', which can't be installed
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.10.11+bpo-amd64
Found initrd image: /boot/initrd.img-6.10.11+bpo-amd64
Found linux image: /boot/vmlinuz-6.1.0-26-amd64
Found initrd image: /boot/initrd.img-6.1.0-26-amd64
Found linux image: /boot/vmlinuz-6.1.0-25-amd64
Found initrd image: /boot/initrd.img-6.1.0-25-amd64
Found linux image: /boot/vmlinuz-6.10.11+bpo-amd64
Found initrd image: /boot/initrd.img-6.10.11+bpo-amd64
Found linux image: /boot/vmlinuz-6.1.0-26-amd64
Found initrd image: /boot/initrd.img-6.1.0-26-amd64
Found linux image: /boot/vmlinuz-6.1.0-25-amd64
Found initrd image: /boot/initrd.img-6.1.0-25-amd64
Warning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot 
entries.
done
Setting up linux-headers-6.10.11+bpo-common (6.10.11-1~bpo12+1) ...
Setting up linux-kbuild-6.10.11+bpo (6.10.11-1~bpo12+1) ...
Setting up linux-headers-6.10.11+bpo-amd64 (6.10.11-1~bpo12+1) ...
/etc/kernel/header_postinst.d/dkms:
dkms: running auto installation service for kernel 6.10.11+bpo-amd64.
dkms: autoinstall for kernel: 6.10.11+bpo-amd64.
Setting up linux-headers-amd64 (6.10.11-1~bpo12+1) ...
Setting up linux-image-amd64 (6.10.11-1~bpo12+1) ...
Processing triggers for security-misc (3:40.0-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NA
ME: 'postinst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map co
nfig file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener en
able
permission-hardener: [NOTICE]: To compare the current and previous permission mo
des, install 'meld' (or preferred diff tool) for comparison of file mode changes
:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permis
sion-hardener/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
[user ~]%

Then removing old kernel residues:

[user ~]% sudo apt update && sudo apt full-upgrade && sudo apt autoremove "--purge" && sudo apt autoclean                           
Hit:1 tor+https://deb.debian.org/debian bookworm InRelease                     
Hit:2 tor+https://deb.debian.org/debian bookworm-updates InRelease             
Hit:3 tor+https://fasttrack.debian.net/debian bookworm-fasttrack InRelease
Hit:4 tor+https://deb.kicksecure.com bookworm-testers InRelease     
Hit:5 tor+https://deb.debian.org/debian-security bookworm-security InRelease
Hit:6 tor+https://deb.debian.org/debian bookworm-backports InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  linux-headers-6.1.0-25-common
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
  linux-headers-6.1.0-25-amd64 linux-image-6.1.0-25-amd64
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 412 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 144628 files and directories currently installed.)
Removing linux-headers-6.1.0-25-amd64 (6.1.106-3) ...
Removing linux-image-6.1.0-25-amd64 (6.1.106-3) ...
/etc/kernel/prerm.d/dkms:
dkms: removing: tirdad 0.1 (6.1.0-25-amd64) (x86_64)
Module tirdad-0.1 for kernel 6.1.0-25-amd64 (x86_64).
Before uninstall, this module version was ACTIVE on this kernel.

tirdad.ko:
 - Uninstallation
   - Deleting from: /lib/modules/6.1.0-25-amd64/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.
depmod....
/etc/kernel/postrm.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.10.11+bpo-amd64
Found initrd image: /boot/initrd.img-6.10.11+bpo-amd64
Found linux image: /boot/vmlinuz-6.1.0-26-amd64
Found initrd image: /boot/initrd.img-6.1.0-26-amd64
Found linux image: /boot/vmlinuz-6.10.11+bpo-amd64
Found initrd image: /boot/initrd.img-6.10.11+bpo-amd64
Found linux image: /boot/vmlinuz-6.1.0-26-amd64
Found initrd image: /boot/initrd.img-6.1.0-26-amd64
Warning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot 
entries.
done
Processing triggers for security-misc (3:40.0-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NA
ME: 'postinst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map co
nfig file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener en
able
permission-hardener: [NOTICE]: To compare the current and previous permission mo
des, install 'meld' (or preferred diff tool) for comparison of file mode changes
:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permis
sion-hardener/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  linux-headers-6.1.0-25-common*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 57.9 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 133181 files and directories currently installed.)
Removing linux-headers-6.1.0-25-common (6.1.106-3) ...
Processing triggers for security-misc (3:40.0-1) ...
INFO: triggered security-misc: 'security-misc' security-misc DPKG_MAINTSCRIPT_NA
ME: 'postinst' $\@: 'triggered /usr' 2: '/usr'
/usr/libexec/security-misc/mmap-rnd-bits: INFO: Successfully written ASLR map co
nfig file:
/etc/sysctl.d/30_security-misc_aslr-mmap.conf
Running SUID Disabler and Permission Hardener... See also:
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
/var/lib/dpkg/info/security-misc.postinst: INFO: running: permission-hardener en
able
permission-hardener: [NOTICE]: To compare the current and previous permission mo
des, install 'meld' (or preferred diff tool) for comparison of file mode changes
:
    sudo apt install --no-install-recommends meld
    meld /var/lib/permission-hardener/existing_mode/statoverride /var/lib/permis
sion-hardener/new_mode/statoverride
/var/lib/dpkg/info/security-misc.postinst: INFO: Permission hardening success.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
[user ~]%

Patrick · October 16, 2024, 9:48am

Lots of great news here!

All of above tickets have been resolved.

There has been a few fixes based on upstream’s feedback.

ignore legacy/tirdad.c (just a backup file no longer used with the old version)
scroll down to module/tirdad.c

Fortunately, @arraybolt3 rewrite was merged upstream!

Kicksecure source code now matches gain the same version as upstream. (The only change is, that Kicksecure added packaging for Debian.)

Please document proper in-tree build or update linux-hardened pull request · Issue #19 · 0xsirus/tirdad · GitHub

Patrick · October 16, 2024, 10:59am

Patrick · October 16, 2024, 11:04am

The new version is now in the testers repository.

Patrick · October 28, 2024, 5:01am

github.com/Whonix/kloak

Create kloak.spec

Whonix:master ← siliconwaffle:patch-1

opened 05:51PM - 27 Oct 24 UTC

siliconwaffle

+63 -0

Spec file for rpm, specifically for Fedora. This pull request changes... #…# Changes ## Mandatory Checklist - [ x ] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [ x ] I have tested it locally - [ x ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #

github.com/Whonix/kloak

Update README.md

Whonix:master ← siliconwaffle:patch-2

opened 05:51PM - 27 Oct 24 UTC

siliconwaffle

+1 -1

Update dependencies information for Fedora, specifically adding gcc and libubsan…(required for newer versions, there is no devel package available for it). And removing libevdev and libsodium(both are required by their respective devel packages, so their explicit listing here is unnecessary). This pull request changes... ## Changes ## Mandatory Checklist - [ x ] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [ x ] I have tested it locally - [ x ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #

Patrick · October 31, 2024, 11:07am

protocol vulnerability bug report:

Patrick · December 29, 2024, 1:08pm

Unfortunately, tirdad is unavailable for ARM64 at time of writing.

This is because Linux kernel live patching API is unavailable for ARM64.

This might be fixed in upcoming 17.2.8.8 and above.

Developer information:

Untested. If all goes well, dummy-dependency-tirdad will be installed instead.