Which insecure kernel to choose

As one of the pillars of the open source ecosystem, the Linux kernel is one of the most influential projects in use today. With over k commits and 25, forks listed on its GitHub page , the Linux kernel can boast an active and engaged community of over 12, developers including talent from tech giants like Microsoft, Google, Intel, and Red Hat.

Given such a robust community, there are bound to be a wide range of Linux kernel vulnerabilities that turn up in the course of code reviews and simply by poking and prodding the popular project. Over the years, the Linux kernel has racked up one of the longest lists of vulnerabilities among open source projects. While a reputation like that might scare some off developers from using this project in their own work, the reality of its continued popularity reflects the understanding that some components are just too baked into the ecosystem that no amount of vulnerabilities are going to keep developers from using them.

By the same token, such a reputation actually provides a bit of street cred since it shows that the community supporting this project actually cares and is active enough to catch vulnerabilities before they become a problem. Once uncovered, the community can develop a fix and make it available for developers to implement in their products. Unlike Windows or MacOS which push out software updates to users automatically, it is up to developers to look for Linux kernel updates on their own.

This means being aware of which open source components they are using in their products and keeping track of when new vulnerabilities are discovered. So in case you are a user of the Linux kernel but for some reason have not been following the project for new versions that fix reported vulnerabilities, we have compiled a list of the worst vulnerabilities to hit the project in the past 10 years from the WhiteSource database.

These are all rated CVSS v2 CVSS v2: 10 High. Impacted versions: Before 4. This is because it was first reported and had its ID reserved in before it was published by the National Vulnerability Database in January of This particular Linux kernel vulnerability is a real kick in the teeth given the important role that it plays in filtering network communication by defining the maximum segment size that is allowed for accepting TCP headers. Without these important controls, users open themselves up to overflow issues.

A common theme that we see throughout the Linux kernel vulnerabilities on this list is that the attacks can be carried out remotely without actions taken by the target.

These remote attacks present a bigger threat than say one that requires the hacker to work locally. Time synchronization is vital for anonymity and security. A wrong system clock can expose you to clock skew fingerprinting attacks or can be used to feed you outdated HTTPS certificates, bypassing certficate expiry or revocation. The most popular time synchronization method, NTP , is insecure as it is unencrypted and unauthenticated , allowing an attacker to trivially intercept and modify requests.

NTP also leaks your local system time in NTP timestamp format which can be used for clock skew fingerprinting, as briefly mentioned before. Thus, you should uninstall any NTP clients and disable systemd-timesyncd if it is in use. Tools that accomplish this are sdwdate or my own secure-time-sync. It is possible to fingerprint a person by the manner in which they enter keys on the keyboard.

You can be uniquely fingerprinted via your typing speed, pauses in between key presses, the exact time at which each key is pressed and released and so on. It is possible to test this online with KeyTrac. When a key is pressed, it introduces a random delay before it is picked up by the application. Although this may be frustrating for certain individuals and unsuitable for them. This form of tracking must not be confused with stylometry. By default, the permissions of files are quite permissive.

You should search across your system for files and directories with improper permissions and restrict them. For example, on some distributions, such as Debian, users' home directories are world-readable. This can be restricted by executing:. To restrict access to these, execute:. On Debian-based distributions, the file permissions must be reserved with dpkg-statoverride.

Otherwise, they will be overwritten during an update. This is often used to allow unprivileged users to utilise certain functionality that is normally only reserved for the root user. As such, many SUID binaries have a history of privilege escalation security vulnerabilities. To find all binaries on the system with the setuid or setgid bit, execute:. To remove the setuid bit, execute:. The default umask is which is not very secure as this gives read access to every user on the system for newly created files.

Core dumps contain the recorded memory of a program at a specific time, usually when that program has crashed. These can contain sensitive information, such as passwords and encryption keys, so these must be disabled. There are three main ways to disable them: sysctl, systemd and ulimit. Process that run with elevated privileges may still dump their memory even after these settings. To prevent them from doing so, set the following via sysctl :.

Similar to core dumps , swapping or paging copies parts of memory to disk which can contain sensitive information. The kernel should be configured to only swap if absolutely necessary with this sysctl :. PAM is a framework for user authentication. It's what you use when you login. You can make it more secure by requiring strong passwords or enforcing delays upon failed login attempts.

It enforces a configurable policy for passwords. Microcode updates are essential to fix critical CPU vulnerabilities, such as Meltdown and Spectre , among numerous others. Most distributions include these in their software repositories, such as Arch Linux and Debian.

IPv6 addresses are generated from your computer's MAC address , making your IPv6 address unique and tied directly to your computer. Privacy extensions generate a random IPv6 address to mitigate this form of tracking. To enable these, set the following settings via sysctl :. File systems should be separated into various partitions to gain fine-grained control over their permissions.

Different mount options can be added to restrict what can be done:. If you cannot use separate partitions, then create bind mounts. Be aware that noexec can be bypassed via shell scripts.

Entropy is basically the randomness collected by an operating system and is crucial for things such as encryption. Hence, it is best to gather as much entropy as possible from a variety of sources by installing additional random number generators like haveged and jitterentropy. It is automatically used by the kernel as an entropy source if it is available; but since it is proprietary and part of the CPU itself, it is impossible to audit and verify its security properties.

You are not even able to reverse engineer the code if you wish. This RNG has suffered from vulnerabilities before , some of which may have been backdoors. It is possible to distrust this feature by setting the following boot parameter :. It is unrecommended to run ordinary text editors as root. Most text editors can do much more than simply edit text files and this can be exploited.

For example, open vi as root and enter :sh. You now have a root shell with access to your entire system which an attacker can easily exploit. A solution to this is using sudoedit. This copies the file to a temporary location, opens the text editor as an ordinary user, edits the temporary file and overwrites the original file as root.

This way, the actual editor doesn't run as root. To use sudoedit , execute:. For example, to use nano , execute:. People assume this is fine because package managers verify the signatures of packages before installation.

However, historically, there has been multiple bypasses of this. You should configure your package manager to exclusively download from HTTPS mirrors for defence-in-depth. This restricts the syscalls that APT is allowed to execute which can severely limit an attacker's ability to do harm to the system if they attempt to exploit a vulnerability in APT.

Full-disk encryption ensures that all data on your drive is encrypted and cannot be read by a physical attacker.

Most distributions support enabling encryption during installation. Make sure you set a strong password. You can also encrypt your drive manually with dm-crypt. As such, it is still possible to modify the kernel, bootloader and other critical files. To fully protect against tampering you must also implement verified boot. It is best to enable this and set a very strong password. This is a weak protection though as it is trivial to reset the password.

It is often stored in volatile memory so an attacker just needs to be able to remove the CMOS battery for a few seconds or they can reset it with a jumper on certain motherboards. You should also disable all unused devices and boot options, such as USB booting, to reduce attack surface. Treat it as important as regular operating system updates. The bootloader executes very early in the boot process and is responsible for loading your operating system.

It is very important that you protect your bootloader. You can prevent this by setting a password for your bootloader. Setting a bootloader password alone is not enough to fully protect it. You must also setup verified boot as documented below. Enter your password and a string will be generated from that password. It will be something like "grub. For most people, this will just be "root". Regenerate your configuration file and GRUB will now be password protected. Syslinux can either set a master password or a menu password.

A master password is required for booting any entry, while a menu password is only required for booting a specific entry. It is recommended that you hash your password with a strong hashing algorithim like SHA or SHA first to avoid storing it in plaintext. In the loader. Verified boot ensures the integrity of the boot chain and base system by cryptographically verifying them. This can be used to ensure that a physical attacker cannot modify the software on the device.

Without verified boot, all of the precautions mentioned above could be bypassed with ease once physical access is gained. Verified boot is not just for physical security as many people assume. It can also be used to prevent remote malware persistence — if an attacker has managed to compromise the entire system and gain extremely high privileges, verified boot will revert their changes upon reboot and ensure they cannot persist.

The most common verified boot implementation is UEFI Secure Boot however, this by itself is not a complete implementation as this only verifies the bootloader and kernel, meaning there are ways to bypass this:.

In general, it's hard to achieve a respectable verified boot implementation on traditional Linux. USB devices present significant attack surface for physical attacks. It is good practice to block all newly connected USBs and only whitelist trusted devices.

USBGuard is great for this. You could also use nousb as a kernel boot parameter to disable all USB support in the kernel. If using linux-hardened , you can set the kernel. Direct memory access DMA attacks involve gaining complete access to all of system memory by inserting certain physical devices. This can be mitigated via an IOMMU which controls the areas of memory accessible to devices or by blacklisting particularly vulnerable kernel modules.

You only need to enable the option for your specific CPU manufacturer, but there are no issues with enabling both options. To disable them, blacklist these kernel modules :. A cold boot attack occurs when an attacker analyses the data in RAM before it is erased. When using modern RAM, cold boot attacks aren't very practical as RAM usually clears within a few seconds or minutes unless it has been placed inside a cooling solution, such as liquid nitrogen or a freezer.

An attacker would have to rip out the RAM sticks from your device and expose it to liquid nitrogen all within a few seconds and without the user noticing. If cold boot attacks are part of your threat model, then guard your computer for a few minutes after shutdown to ensure that nobody has access to your RAM sticks.

You could also solder the RAM sticks into your motherboard to make it harder for them to be seized. If using a laptop, take out the battery and run directly off the charging cable. Pull out the cable after shutdown to ensure that the RAM has no access to more power to stay alive.

In the kernel self-protection boot parameters section , the zeroing of memory at free time option will overwrite sensitive data in memory with zeroes. Despite these though, some data may still remain in memory.

Additionally, modern kernels include a reset attack mitigation which commands the firmware to erase data upon shutdown, although this requires firmware support. Make sure that you shutdown your computer normally so the mitigations explained above can kick in. If none of the above are adequate for your threat model, you can implement Tails' memory erasure process which erases the majority of memory with the exception of video memory and has been proven to be effective.

Once you have hardened the system as much as you can, you should follow good privacy and security practices: 1. Disable or remove things you don't need to minimise attack surface. Stay updated. Configure a cron job or init script to update your system daily.

Don't leak any information about you or your system, no matter how minor it may seem. Follow general security and privacy advice. Despite the hardening you have done, you must remember that Linux is still a fundamentally flawed operating system and no amount of hardening can ever fix it fully. You should perform as much varied research as possible and not rely on a single source of information. One of the largest security problems is the user.

You may need to regenerate your GRUB configuration to apply certain changes you have made to the bootloader. The steps to do this can sometimes differ between different distributions.

For example, on distributions such as Arch Linux, you are expected to regenerate your configuration file by executing:. Alternatively, on distributions like Debian or Ubuntu, you should execute:. In the Linux kernel, "root privileges" are split up into various different capabilities. This is helpful in applying principle of least privilege — instead of giving a process total root privileges, you can grant them only a specific subset instead.

This could limit the potential damage that can be done however, you must still be cautious with granting capabilities as many of them can be abused to gain full root privileges anyway. Choosing the right Linux distribution 2. Kernel hardening 2. LTS 2. Mandatory access control 4. Sandboxing 4. Hardened memory allocator 6. Hardened compilation flags 7. Memory safe languages 8. The root account 8. Firewalls Identifiers File permissions On some devices, a person with physical control of a device and a USB cable is able to install a new operating system that provides root privileges to the user.

To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. Root access gained via exploiting a kernel bug or security hole can bypass this protection. Encrypting data with a key stored on-device does not protect the application data from root users.

Applications can add a layer of data protection using encryption with a key stored off-device, such as on a server or a user password. This approach can provide temporary protection while the key is not present, but at some point the key must be provided to the application and it then becomes accessible to root users.

A more robust approach to protecting data from root users is through the use of hardware solutions. OEMs may choose to implement hardware solutions that limit access to specific types of content such as DRM for video playback, or the NFC-related trusted storage for Google wallet. Android 3. Android 5. Upon boot, users must provide their credentials before any part of the disk is accessible.

File-based encryption allows different files to be encrypted with different keys that can be unlocked independently. More details on implementation of filesystem encryption are available in the Encryption section. Android can be configured to verify a user-supplied password prior to providing access to a device. In addition to preventing unauthorized use of the device, this password protects the cryptographic key for full filesystem encryption.

Android 2. Through the Email application, Exchange administrators can enforce password policies — including alphanumeric passwords or numeric PINs — across devices. Administrators can also remotely wipe that is, restore factory defaults on lost or stolen handsets. In addition to use in applications included with the Android system, these APIs are available to third-party providers of Device Management solutions. Content and code samples on this page are subject to the licenses described in the Content License.

Docs Getting Started About. Core Topics Architecture. Overview Security Overview. Android Security Bulletins.