Actions

hardened-kernel

From Whonix



Testers only! Testers only!

Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

Overview[edit]

hardened-kernel [archive] attempts to increase computer security.

It is based on Linux [archive].

Is consists of a hardened kernel configuration and hardening patches provided by the linux-hardened [archive] project.

It is currently only tested in two Linux distributions, Whonix (anonymous operating system) and Kicksecure (A Security-hardened, Non-anonymous Linux Distribution). These two Linux distributions are based on Debian. Therefore hardened-kernel will likely work in Debian [archive] too.

There are two kernel configs, hardened-vm-kernel [archive] and hardened-host-kernel [archive]. hardened-vm-kernel is designed specifically for virtual machines (VMs) and hardened-host-kernel is designed for hosts.

Both configs try to have as many hardening options enabled as possible and have little attack surface. hardened-vm-kernel only has support for VMs and all other hardware options are disabled to reduce attack surface and compile time.

During installation of hardened-vm-kernel, it compiles the kernel on your own machine and does not use a pre-compiled kernel. This ensures the kernel symbols in the compiled image are completely unique which makes it far harder for kernel exploits. This is possible due to hardened-vm-kernel having only VM config options enabled which drastically reduces compile time.

A development goal is that during installation of hardened-host-kernel, the kernel is not compiled on your machine but uses a pre-compiled kernel. This is because the host kernel needs most hardware options enabled to support most devices which makes compilation take a very long time. This will be probably configureable, i.e. you will be able to opt-in to compile the host kernel locally too.

The VM kernel is more secure than the host kernel due to having less attack surface and not being pre-compiled but if you want more security for the host, it is recommended to edit the hardened host config, enable only the hardware options you need and compile the kernel yourself. This makes the security of the host and VM kernel comparable.

These kernels use the linux-hardened patch for further hardening. Custom hardening patches should be sent there.

Both configs were based on the default Debian config.

Improvements[edit]

Here is a list of the improvements of the config. This may not be complete but has the bulk of the features.

Options we disable[edit]

Disables /proc/kcore. Exposes kernel text image layout.

Disables /dev/port. Can modify kernel memory.

Disables /dev/mem. Can modify kernel memory.

Disables livepatching. Can modify kernel code.

Disables CPU MSRS. Can be abused to write to kernel memory.

Disables kexec. Can replace the current kernel.

Disables kprobes. Can access kernel memory.

Disables bpf() syscall. Can be abused to read arbitrary kernel memory through functions such as bpf_probe_read() and has been the cause of many kernel vulnerabilities.

Disables ACPI table upgrading. Loading arbitrary ACPI tables can be abused to jump into kernel code.

Disables hibernation. The kernel image can be replaced during hibernation.

Disables slab merging. Reduces the risk of kernel heap overflows.

Disables userfaultfd() syscall. Can make heap sprays easier. [1]

Disables vivid. It's only required for testing and has been the cause of multiple vulnerabilities. [2]

Disables binfmt_misc. We don't need custom binary formats and they just add attack surface.

Disables legacy nouveau contexts. These aren't needed anymore and contain security holes. [3]

Disables INET socket monitoring interface. Has helped heap memory attacks in the past.

Disables vsyscall emulation. Vsyscalls are in a fixed position in memory and can be used to bypass ASLR.

Disables crash dumps and coredumps. Can contain sensitive information.

Disables uselib. Only used in older libc versions and has been the cause of privilege escalation vulnerabilities in the past.

Disables 32-bit support and IA32 emulation. Doesn't have much attention upstream so it's full of bugs. [4]

Disables modify_ldt() syscall. Increases low-level kernel attack surface.

Disables KSM. This has various vulnerabilities described here [archive].

Disables unused networks protocols (DCCP, RDS, SCTP, bluetooth etc.).

Disables ftrace. Can hook into kernel code to gather a lot of information about what is happening in the kernel.

Disables firewire and thunderbolt. Can be abused for DMA.

Disables AIO. This has various vulnerabilities described here [archive].

Disables sysfs() syscall. Deprecated.

Disables debugfs. Contains a lot of debug info that's been the cause of many vulnerabilities in the past.

Disables notifier error injection. Allows userspace to inject artificial errors into kernel code.

Disables profiling support. Can gather potentially dangerous debugging information.

Disables unneeded partition types.

Disables IPV6.

Disables unused LSMs. Only AppArmor is enabled.

Disables /proc page monitoring. This adds more files to /proc which leak a lot of memory information that can be useful to bypass ASLR.

Disables unused filesystems.

Restrict loading line disciplines to CAP_SYS_MODULE. Prevents attackers from loading ancient line disciplines with vulnerabilities to exploit them.

Distrusts the CPU for initial entropy as it cannot be audited to ensure it gives good entropy.

Disables staging drivers. These are lower quality and are more likely to contain vulnerabilities.

Disables some legacy drivers with security holes.

Options we enable[edit]

Enables validation of commonly targeted structures (SG tables, notifier call chains, credential management, linked list manipulation).

Enables sanity checks in virtual to page code to prevent certain data corruption.

Enables IOMMU by default. Prevents DMA attacks.

Enables hardening GCC plugins: LATENT_ENTROPY, STRUCTLEAK and RANDSTRUCT. LATENT_ENTROPY gathers more entropy during boot, STRUCTLEAK zero-inits variables and RANDSTRUCT randomizes the layout of sensitive kernel structures. We do not weaken RANDSTRUCT with the RANDSTRUCT_PERFORMANCE option. We use STRUCTLEAK's strongest option (BYREF_ALL).

Enables reset attack mitigation. Prevents certain cold-boot attacks.

Sets the number of entropy bits to use for mmap ASLR to the highest (32). linux-hardened applies this to the stack too.

Compiles jitterentropy and various HWRNGs as built-in for better entropy.

Signs all kernel modules during compilation.

Makes the kernel panic on oopses to deter bruteforcing.

Restricts the SysRq key to only allow SAK and shutdowns.

linux-hardened[edit]

linux-hardened [archive] is a patch for the Linux kernel that adds many hardening features.

Improvements of linux-hardened[edit]

Many ASLR improvements https://gist.github.com/thestinger/b43b460cfccfade51b5a2220a0550c35 [archive]

Marks more areas as read-only with __ro_after_init and adds __read_only for non-init usage.

Adds writable function pointer detection.

Enables stricter sysctls by default although we set these with security-misc already.

More sanity checks.

Slab canaries.

Sanitizes slab and page allocations on free (for non-LTS kernels, it just uses init_on_{free,alloc} with some enhancements).

Verifies slab and page sanitization.

Restricts the TIOCSTI ioctl to CAP_SYS_ADMIN as it can be used to compromise many programs in the same session.

Disables unprivileged user namespaces. These expose a lot of kernel attack surface.

Restricts device timing sidechannels to CAP_MKNOD.

Restricts all perf_event_open() use to CAP_SYS_ADMIN.

Makes the kernel BUG on more data corruption.

Adds the extra_latent_entropy kernel boot parameter to gather more entropy during boot.

Disables TCP simultaneous connect. This weakness allows an attacker to easily prevent a client from connecting to a known server so it should be disabled.

Improvements of linux-hardened we don't yet benefit from[edit]

FORTIFY_SOURCE enhancements. These aren't intended for production usage.

Restricts userfaultfd() syscall to root. We disable userfaultfd() altogether.

Extends init_on_free and init_on_alloc to slab caches with constructors. These aren't in our kernel version.

Hard-wires the legacy checkreqprot option to 0. We don't use SELinux.

Adds a sysctl to disable newly added USB devices (kernel.deny_new_usb). We don't make use of this yet.

Zero-fill uninitialized local variables. Requires clang compiler support and we use GCC.

Upcoming improvements of linux-hardened[edit]

We are contributing to linux-hardened and adding more hardening features. [archive] These aren't merged yet. This list documents these upcoming features.

Restricts module auto-loading to CAP_SYS_MODULE. Prevents unprivileged attackers from auto-loading vulnerable modules to increase attack surface.

Restricts access to sysfs to root. Sysfs has been the cause of many vulnerabilities and info-leaks.

Further restricts perf_event_open() to deny even root from using it.

Trusted Path Execution.

Unused options[edit]

There are some hardening options we don't use. This is a list of options we don't use and why.

CONFIG_STATIC_USERMODEHELPER=y - This would be great to enable but breaks boot.

CONFIG_KALLSYMS=n - We set kptr_restrict so this won't make much difference except minor attack surface reduction.

CONFIG_MAGIC_SYSRQ=n - There are important features of SysRq we don't want to lose such as SAK. Instead, we restrict the SysRq key to only allow SAK and shutdowns.

CONFIG_BPF_JIT=n - We harden the BPF JIT compiler so this isn't as important but there has been some discussion on disabling this https://forums.whonix.org/t/should-the-bpf-jit-compiler-be-disabled/8475 [archive]

CONFIG_MODULE_SIG_FORCE=y - Currently, this will break the Virtualbox Guest Additions, LKRG and Tirdad kernel modules but there is work on fixing this.

CONFIG_SLUB_DEBUG_ON=y - This gives no advantage over the slub_debug= boot parameter.

CONFIG_SECURITY_LOADPIN=y - We don't use loadpin so this option is pointless.

CONFIG_PAGE_POISONING=y - We use linux-hardened's CONFIG_PAGE_SANITIZE instead which is better and doesn't force debug bloat.

CONFIG_MODULES=n - We need kernel modules and restrict module loading as much as we can (with apparmor-profile-everything and in the future, enforcing signature verification and restricting auto-loading to root). This can be reconsidered once clang CFI is upstream as disabling module support improves CFI granularity.

CONFIG_USER_NS=n - This option is only a problem for unprivileged users and linux-hardened restricts these to root.

CONFIG_SHUFFLE_PAGE_ALLOCATOR=y - Not in LTS kernels.

CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y - Not in LTS kernels.

CONFIG_INIT_ON_FREE_DEFAULT_ON=y - Not in LTS kernels.

CONFIG_GCC_PLUGIN_STACKLEAK=y - Not in LTS kernels.

CONFIG_SECURITY_LOCKDOWN_LSM=y - Not in LTS kernels.

CONFIG_SECURITY_SAFESETID=y - Not in LTS kernels.

CONFIG_INIT_STACK_ALL=y - Requires clang compiler support.

CONFIG_LOCAL_INIT=y (linux-hardened) - Requires clang compiler support.

Disabled Devices[edit]

Both kernels disable some drivers that are unlikely to be used to cut attack surface. The drivers disabled are as follows:

  • All staging drivers:
    • CONFIG_RTL8192U - RealTek RTL8192U Wireless LAN NIC driver
    • CONFIG_RTL8192E - RealTek RTL8192E Wireless LAN NIC driver
    • CONFIG_RTL8723BS - RTL8723BS SDIO
    • Intel Compute Stick, the CHIP and many other Intel Atom and ARM based devices
    • R8712U
    • D-Link DWA-130
    • CONFIG_R8188EU
    • TP-Link TL-WN725N
    • CONFIG_R8822BE - Realtek RTL8822BE 802.11ac
    • CONFIG_RTS5208 - Realtek PCI-E Card Reader RTS5208/5288 support
    • CONFIG_PI433 - Pi433 - a 433MHz radio module for Raspberry Pi
    • some data acquisition device such as CONFIG_COMEDI
  • All industrial I/O support (CONFIG_IIO) is disabled. This includes things like humidity sensors, chemical sensors, light sensors, accelerometers etc. that don't really make sense on a usual desktop system.
  • All android support is disabled as these kernels aren't meant to be used on any mobile devices.
  • Infiniband support.
  • SMC-R, "sockets over RDMA", RDMA over Converged Ethernet (RoCE)

Project Status[edit]

Blockers before calling Whonix Users for Testing[edit]

Blockers for Host Release[edit]

  • There is no pre-compiled hardened-host-kernel package yet.

Maintainability[edit]

  • Could use a script that helps contributors to easily update version numbers. (Using str_replace.)

Outreach[edit]

List of All Tasks[edit]

Contribute[edit]

Since this is an Open Source / Free/Libre/Freedom Software project, development help is very much welcome!

Upstreaming[edit]

Seems unfortunately unlikely:

Forum Discussion[edit]

https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598 [archive]

References[edit]



Search engines: YaCy | Qwant | ecosia | MetaGer | peekier


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Did you know that Whonix could provide protection against backdoors [archive]? See Verifiable Builds [archive]. Help is wanted and welcomed.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.