How to hide Kernel Symbols in Linux Kernel Image? Recompliation?

Why hide kernel symbols?

Quote

Anyone with basic knowledge of kernel exploitation knows how important information gathering is to reliable exploitation. This protection hides the kernel symbols from various places that an attacker could use during information gathering in pre-exploitation stage. … This option also prevents leaking of kernel addresses through several /proc entries.

Bug Classes/Kernel pointer leak

Some places are obvious. /proc/kallsyms can be constrained through sysctl kernel.kptr_restrict=2. Access to folder /boot can be restricted through linux file permissions to root only and with apparmor even be hidden from root. AppArmor FullSystemPolicy (apparmor-profile-everything) Also other places such as /lib/modules, system.map, and the kernel source directory.

For the sake of asking a very specific question, please ignore other places where kernel symbols might leak. If want to enumerate them, please ask your own question, wait until I ask or add a comment.

My very specific question is around the following Quote:

The kernel […] is not precompiled by some distribution

This is because kernel symbols can be extracted from the kernel image. There are Open Source tools for that.

(That quote is about grsecurity but I am asking about non-grsecurity, i.e. the regular kernel from kernel.org here.)

Kernel images from public repositories such as packages.debian.org are well known by attackers. Attackers could simply hardcode the symbols addresses and thereby counter effort such as kernel.kptr_restrict=2.

To prevent kernel pointer leaks, the kernel image cannot be in a public known state. It needs to be unique, private as far as I understand. One needs to compile the kernel oneself.

Reproducible builds are an amazing effort of increasing the security for everyone. However, in this case reproducible builds would result in again ending up with a kernel with symbol addresses well predictable by attackers because the Debian linux kernel is already reproducible, mostly reproducible or in future fully reproducible (I didn’t follow up where development is regarding that).

How to hide kernel symbols of the linux kernel image (vmlinux) from an attacker? How to make sure my kernel has unique kernel symbols? Is there a kernel boot parameter for that? Or is it possible to somehow supply the kernel with a random file so it can randomize its symbols? Or is there some way to recompile the kernel in a way it would have unique symbol addresses?

My Huawei’s software details has been changed(build number , kernel version and baseband

My Huawei phoned is being controlled remotely. When I download apps on play Store, their permissions are being changed by that device using java. App permissions are continuously being changed, on my Google activity it shows apps that were downloaded but those apps were not downloaded by me and they are not visible on my phone. When I connect to public WiFi(Tshwane free wifi)it shows that it is not safe as it shows that the user is not the same as the page shown(it shows that it is Router board)

Passively read key from process memory without invoking kernel (windows 10)

I have a process that loads into memory like any other process. It contains a special key. Our goal is to read this key inside memory…or while it is in transit across the data bus from cpu. The catch is that our solution has to be stealthy and undetected by the kernel, so no DMA, drivers or anything that invokes traditional system calls/routines. Anything that leverages the kernel can be detected by the kernel.

Assume the system in question is infected by a rootkit. Assume the rootkit is employing everything specified here and more unknown anti-debug routines: https://github.com/LordNoteworthy/al-khaser So all the traditional windows routines, (like ObRegisterCallbacks) are hooked.

Is there a digital forensic device for this use case? In so far as I can tell the conventional means of volatile memory collection for forensic purposes can be detected (scraping/dumping).

Note1: There is a “magic” number associated with the bytes surrounding the key, so we don’t have to worry about being overwhelmed by heaps of data, we can filter for those magic bytes.

Note2: We can in theory configure this to use non volatile memory for RAM… then shutoff the computer while the key is in there. However, the key is only good as long as the process remains open. It is random gen, key cannot be cracked. This is also somewhat of a side-channel attack question I suppose. Reading cache I would assume be out of the question since its usually embedded on the cpu or motherboard.

Note3: Running this in a hypervisor might be the call. But there still exists the extra hurdles of avoiding detection of sandboxing. Would rather use a solution that avoids virtualization.

Note4: I originally asked this in EE section about using some type of logic analyzer to read the key as it was coming over the PCI-e bus, but that would disrupt some of the data coming over (resistance and properties of impedance would be disrupted).

Raspberry Pi Kernel modules_install doesn’t create files

I am trying to build a Raspberry Pi kernel. The compilation of zImage, modules, and dtbs all complete as expected.

However, when I run the make module_install:

sudo env PATH=$  PATH make modules_install ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=temppath/ext4  

and then ls in temppath/ext4, the directory is empty.

The same thing happens when I run:

sudo env PATH=$  PATH make dtbs_install ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=temppath/fat32  

the temppath/fat32 directory is empty.

Both modules_install and dtbs_install provide command line output similar to this:

  ...   INSTALL sound/soc/codecs/snd-soc-i-sabre-codec.ko   INSTALL sound/soc/codecs/snd-soc-ics43432.ko   INSTALL sound/soc/codecs/snd-soc-pcm1794a.ko   INSTALL sound/soc/codecs/snd-soc-pcm186x-i2c.ko   INSTALL sound/soc/codecs/snd-soc-pcm186x.ko   INSTALL sound/soc/codecs/snd-soc-pcm5102a.ko   INSTALL sound/soc/codecs/snd-soc-pcm512x-i2c.ko   INSTALL sound/soc/codecs/snd-soc-pcm512x.ko   INSTALL sound/soc/codecs/snd-soc-sgtl5000.ko   INSTALL sound/soc/codecs/snd-soc-sigmadsp-i2c.ko   INSTALL sound/soc/codecs/snd-soc-sigmadsp.ko   INSTALL sound/soc/codecs/snd-soc-spdif-rx.ko   INSTALL sound/soc/codecs/snd-soc-spdif-tx.ko   INSTALL sound/soc/codecs/snd-soc-tas5713.ko   INSTALL sound/soc/codecs/snd-soc-tlv320aic32x4-i2c.ko   INSTALL sound/soc/codecs/snd-soc-tlv320aic32x4.ko   ... 

However, no files are created.

Any ideas out there?

Remotely exploit Linux kernel with CVE-2017-18017?

I have set up a server running Linux Kernel 4.4. How can I exploit this, preferably not a DoS attack? I have opened port 80(https), however I would rather do it in an elegant fashion so I can actually learn something instead of just mindlessly running slowloris. A specific vulnerability I have looked into is:

CVE-2017-18017

Thanks, c0mraide

Booting Kernel Failed: Invalid Argument (Non-VM)

Backstory: I have been trying to install Ubuntu the last few days, but I have been facing problems. First, I had to change the File System of my Ubuntu USB and then after that I am facing this problem.

What happened?: I launched the Ubuntu Installer with my USB and then say an accessibility icon and a keyboard when booting. Right after, I saw a black screen saying “Booting Kernel Failed: Invalid Argument”. I can confirm that my install of the iso is not corrupted with qBitTorrent confirming it. Also my USB is not the problem. I used Rufus’ dd mode to install Ubuntu on the drive to keep it in FAT. Also, I tried using my USB on a Chromebook but just stated a “Graphics Initialization Problem” message. I also tried writing help and enter but it did not boot.

Linux kernel change removed USB compatibility

For some reason(I think my WiFi was behaving weirdly, flickering on and off), I decided to update my kernel on 18.04.2 to kernel version 4.4.x thinking that it would fix it. The problem still persisted on updating the kernel but it rose another problem: my computer stopped recognizing USB devices: USB drives, external HDDs, none of them are being recognized now. I have tried using dmesg to see if any debug message pops up but to no avail. I moved back to the mainline kernel , i.e. 4.15.18-041518-generic but the problem didn’t go away. What can be the reason for this? Am I doing something wrong?

Error “nothing to be done for x86_64_def” when trying to configure kernel

I am learning device drivers development from the book by John Madieu. The book tells me to enter in the command “make x86_64_def” to configure the kernel, but when I enter that in to the terminal, an error message shows, saying “nothing to be done for x86_64_def”. The “x86_64_def” file is located in linux/arch/x86/config

USB Huion 1060PLUS and kernel 5.3.0 on Eoan [on hold]

I am having issues with the tablet above. Since the upgrade to Eoan (I know, development..) the tablet is not working any more. Dmesg below:

[ 7199.742905] usb 1-4: USB disconnect, device number 9 [ 7199.742911] usb 1-4.1: USB disconnect, device number 10 [ 7199.743381] usb 1-4.4: USB disconnect, device number 11 [ 7206.101315] usb 1-4: new high-speed USB device number 12 using xhci_hcd [ 7206.227830] usb 1-4: New USB device found, idVendor=058f, idProduct=6254, bcdDevice= 1.00 [ 7206.227836] usb 1-4: New USB device strings: Mfr=0, Product=1, SerialNumber=0 [ 7206.227840] usb 1-4: Product: USB2.0Hub [ 7206.230807] hub 1-4:1.0: USB hub found [ 7206.230868] hub 1-4:1.0: 4 ports detected [ 7206.518332] usb 1-4.1: new full-speed USB device number 13 using xhci_hcd [ 7206.621492] usb 1-4.1: New USB device found, idVendor=256c, idProduct=006e, bcdDevice=30.00 [ 7206.621498] usb 1-4.1: New USB device strings: Mfr=5, Product=6, SerialNumber=0 [ 7206.627684] usb 1-4.1: can't set config #1, error -32 [ 7206.703319] usb 1-4.4: new high-speed USB device number 14 using xhci_hcd [ 7206.794338] usb 1-4.4: New USB device found, idVendor=058f, idProduct=6366, bcdDevice= 1.00 [ 7206.794346] usb 1-4.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 7206.794351] usb 1-4.4: Product: Mass Storage Device [ 7206.794353] usb 1-4.4: Manufacturer: Generic [ 7206.794356] usb 1-4.4: SerialNumber: 058F0O1111B1 [ 7206.799699] usb-storage 1-4.4:1.0: USB Mass Storage device detected 

Unfortunately there is not much to be found regarding the can’t set config thing with the code 32.

The digimind driver compiles fine.

The funny part is: After a suspend and resume the tablet is working until unplugged and plugged in.

Any sugestions? Kernel 5.2 is working fine, have to sort out the ZFS module though and it would be nice to stick with the official components.

Cheers,

Henning

Shrink Kernel Size For 64 MB machines

I’m working on reduction of kernel size in Ubuntu. I’ve compiled and installed the kernel 5.2.3 stable now i want to remove kernel modules manually.

I’ve tried with rmmod command and after rebooting the Ubuntu it appears again in lsmod list.

I want to reduce kernel size so that i can run stably on 64 MB machines? Can someone guide me how can i do this?