New Grsec Feature Suggestions
Posted: Fri May 20, 2016 6:42 pm
Hi Spender & PaxTeam. I wanted to propose a few features for Grsec that are relevant beyond the privacy distros like Tails and Whonix (Disclosure: I am a developer of the latter). Convincing upstream Linux to adopt security measures is like smashing one's head against a very large brick wall so I am discussing it here where it counts and so millions of users can potentially benefit.
* TCP Timestamps leak a lot of sensitive data to the network like system uptime and allows attackers to fingerprint users and correlate timestamp leaks in Tor exit traffic with the timestamps in the client -> first hop circuit. Tails and us respond by completely disabling it despite documentation claiming performance problems without it. I recall seeing a patch you wrote for randomizing TCP Timestamps instead which could address privacy concerns but without affecting performance. Is it included in the TCP/IP hardening part of Grsec?
https://mailman.boum.org/pipermail/tail ... 04520.html
* nf_conntrack_helper : Tor's Jacob Appelbaum discussed a feature in this module that allows a bunch of legacy protocol parsers in the kernel when they have no business being there. These code paths were exploited before:
https://mailman.boum.org/pipermail/tail ... 07537.html
Can these be disabled by the Grsec patch out of the box?
* TCP Initial Sequence Numbers: Under an attacker controlled CPU load, a server's kernel timers used for TCP ISNs skew at a predictable rate which can be used to deanonymize Hidden Services. Is it possible to randomize the timer output somehow to mitigate this?
http://www.cl.cam.ac.uk/~sjm217/papers/ ... tornot.pdf
* TCP Timestamps leak a lot of sensitive data to the network like system uptime and allows attackers to fingerprint users and correlate timestamp leaks in Tor exit traffic with the timestamps in the client -> first hop circuit. Tails and us respond by completely disabling it despite documentation claiming performance problems without it. I recall seeing a patch you wrote for randomizing TCP Timestamps instead which could address privacy concerns but without affecting performance. Is it included in the TCP/IP hardening part of Grsec?
https://mailman.boum.org/pipermail/tail ... 04520.html
* nf_conntrack_helper : Tor's Jacob Appelbaum discussed a feature in this module that allows a bunch of legacy protocol parsers in the kernel when they have no business being there. These code paths were exploited before:
https://mailman.boum.org/pipermail/tail ... 07537.html
Can these be disabled by the Grsec patch out of the box?
* TCP Initial Sequence Numbers: Under an attacker controlled CPU load, a server's kernel timers used for TCP ISNs skew at a predictable rate which can be used to deanonymize Hidden Services. Is it possible to randomize the timer output somehow to mitigate this?
http://www.cl.cam.ac.uk/~sjm217/papers/ ... tornot.pdf