Extended Brain Storage

# Artix Linux: Hardened Kernel and Hibernation

Posted on April 22, 2019

Using a hardened kernel in either Artix Linux or Arch Linux, may seem to be a smart decision to prevent various vulnerabilities from being exploited. However, everything comes with a price...

### In a Nutshell

The linux-hardened package uses a basic kernel hardening patch set and more security-focused compile-time configuration options than the linux package, which comes precompiled with the Linux distribution. For example:

• It provides an improved implementation of Address Space Layout Randomisation (ASLR) for userspace processes, which is a memory-protection process for operating systems that guards against buffer-overflow attacks by randomising the location where system executables are loaded into memory. The paxtest command can be used to obtain an estimate of the provided entropy.
• It restricts access to kernel logs using the kernel.dmesg_restrict = 1 flag setup, i.e. it forbids access to the logs without the CAP_SYS_ADMIN capability, which only processes running as root have by default.
• It restricts access to kernel pointers in the proc filesystem. Setting kernel.kptr_restrict = 1 will hide kernel symbol addresses in /proc/kallsyms from regular users without the CAP_SYSLOG capability, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. Setting kernel.kptr_restrict = 2 will hide kernel symbol addresses regardless of privileges.
• It keeps the BPF JIT compiler disabled.
• A just-in-time (JIT) compiler is a computer program that translates computer code (usually bytecode) during execution of a program to machine code.
• Berkeley Packet Filter (BPF) provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received. BPF is sometimes used to refer just to the filtering mechanism, rather than to the entire interface. Some projects use BPF instruction sets or execution techniques different from the originals and use a JIT compiler to convert BPF instructions into native code in order to improve performance.
• SECure COMPuting (seccomp) with Berkeley Packet Filter (BPF) was designed to filter incoming system calls and to provide a tool for sandbox developers, but it is not a sandbox.
• Although the BPF/Seccomp compilation can be useful in specific domains (e.g. orchestration platforms like Mesos and Kubernetes), it is usually not useful for desktop users or static servers. Moreover, it opens up the possibility for an attacker to perform a heap spraying attack, where they fill the kernel's heap with malicious code and where they can be further exploited by various attacks, such as the Spectre attacks.
• The net.core.bpf_jit_enable = 0 flag should be set for a maximum level of security: $echo "net.core.bpf_jit_enable = 0" > /etc/sysctl.d/50-bpf-jit-enable.conf • It restricts the ptrace scope. • Linux Security Modules (LSM) is a framework that allows the Linux kernel to support a variety of computer security models (e.g. AppArmor, SELinux, Smack, and TOMOYO Linux, ...) while avoiding favouritism toward any single security implementation. The LSM framework was designed to provide the specific needs of everything needed to successfully implement a mandatory access control module, while imposing the fewest possible changes to the Linux kernel. LSM inserts "hooks" (upcalls to the module) at every point in the kernel where a user-level system call is about to result in access to an important internal kernel object such as inodes and task control blocks. • Yama is another LSM that collects system-wide discretionary access control (DAC) security protections that are not handled by the core kernel itself. The Yama LSM is enabled by default using the kernel.yama.ptrace_scope = 1 flag to prevent processes from performing a ptrace call on other processes outside of their scope without CAP_SYS_PTRACE. • Using the hidepid and gid mount options • The kernel has the ability to hide other users' processes, normally accessible via /proc, from unprivileged users by mounting the proc filesystem with the hidepid= and gid= options. An evaluation of current settings can be performed as follows: $ paxtest blackhat
...
$sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1$ sysctl kernel.kptr_restrict
kernel.kptr_restrict = 2
$sysctl net.core.bpf_jit_enable net.core.bpf_jit_enable = 1$ sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 1
$mount | grep proc proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)  ### Hibernation Support Kernel needs to be set accordingly in order to provide support for hibernation. This can be verified by running: $ zcat /proc/config.gz | grep CONFIG_HIBERNATION
# CONFIG_HIBERNATION is not set


The problem is obvious. The support is not set up in the linux-hardened kernel. The reason is that kASLR is preferred over hibernation.

When building with both CONFIG_HIBERNATION and CONFIG_RANDOMIZE_BASE, one or the other must be chosen at boot-time. Until now, hibernation was selected when no choice was made on the command line.

To make the security benefits of kASLR more widely available to end users (since the use of hibernation is becoming more rare and kASLR, already available on x86, will be available on arm64 and MIPS soon), this changes the default to preferring kASLR over hibernation. Users wanting hibernation can turn off kASLR by adding nokaslr to the kernel command line.

More info can be found here.