New Grsec Feature Suggestions

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

New Grsec Feature Suggestions

Postby bancfc » Fri May 20, 2016 6:42 pm

Hi Spender & PaxTeam. I wanted to propose a few features for Grsec that are relevant beyond the privacy distros like Tails and Whonix (Disclosure: I am a developer of the latter). Convincing upstream Linux to adopt security measures is like smashing one's head against a very large brick wall so I am discussing it here where it counts and so millions of users can potentially benefit.


* TCP Timestamps leak a lot of sensitive data to the network like system uptime and allows attackers to fingerprint users and correlate timestamp leaks in Tor exit traffic with the timestamps in the client -> first hop circuit. Tails and us respond by completely disabling it despite documentation claiming performance problems without it. I recall seeing a patch you wrote for randomizing TCP Timestamps instead which could address privacy concerns but without affecting performance. Is it included in the TCP/IP hardening part of Grsec?

https://mailman.boum.org/pipermail/tail ... 04520.html


* nf_conntrack_helper : Tor's Jacob Appelbaum discussed a feature in this module that allows a bunch of legacy protocol parsers in the kernel when they have no business being there. These code paths were exploited before:

https://mailman.boum.org/pipermail/tail ... 07537.html

Can these be disabled by the Grsec patch out of the box?


* TCP Initial Sequence Numbers: Under an attacker controlled CPU load, a server's kernel timers used for TCP ISNs skew at a predictable rate which can be used to deanonymize Hidden Services. Is it possible to randomize the timer output somehow to mitigate this?

http://www.cl.cam.ac.uk/~sjm217/papers/ ... tornot.pdf
bancfc
 
Posts: 9
Joined: Fri Apr 15, 2016 3:55 pm

Re: New Grsec Feature Suggestions

Postby ShenXianMountain » Sun May 14, 2017 2:14 pm

for timestamps,your can disable it via sysctl.

[root@localhost paxtest-0.9.15]# sysctl -a| grep timestamp
net.ipv4.tcp_timestamps = 1
ShenXianMountain
 
Posts: 4
Joined: Sun Oct 23, 2016 9:55 pm


Return to grsecurity development

cron