Home

Awesome

0

Kiddy - Linux Kernel identify spoofer

Purpose

Kiddy module performs runtime Linux kernel modification so its futher identification will give irrelevant result.

Such modification serves the purpose of defeating kernel exploitation attempts as most of kernel exploits require the version of the kernel to be known to use the proper offsets1.

In other words, Kiddy changes current kernel identification and so implements security through obscurity.

Challenges

Kernel log (dmesg)

It's obvious that kernel log has a lot of identification information. Exposing the information usually happen via dmesg or its underlying interfaces. Although, some modern systems already restrict non-privileged kernel log access, Kiddy enforces same restriction as well.

STATUS: IMPLEMENTED (source)

UTS namespace (uname)

UTS namespace provide isolation of hostname and domainname via set/gethostname() and set/getdomainname() system call services. Besides that, UTS contains the following information: machine architecture, OS type and release information, kernel version:

enum uts_proc {
	UTS_PROC_ARCH,
	UTS_PROC_OSTYPE,
	UTS_PROC_OSRELEASE,
	UTS_PROC_VERSION,
	UTS_PROC_HOSTNAME,
	UTS_PROC_DOMAINNAME,
};

While is's possible to alter hostname and domainname values, other parameters are not changable but provide sensitive identification information via the following interfaces:

NOTE: Current implementation takes care of kernel version and OS release information.

STATUS: IMPLEMENTED (source)

vDSO (virtual dynamic shared object)

The vDSO (virtual dynamic shared object) is a small shared library that the kernel automatically maps into the address space of all user-space applications.

vDSO exposes LINUX_VERSION_CODE via .note section so must be handled.

STATUS: IMPLEMENTED (source)

Filesystem artifacts

Kernel version information:

/proc/cmdline
/proc/version

Some other files/directories to protect:

/boot
/lib/modules
/proc/modules
/proc/kallsyms
/proc/config.gz
/usr/src/kernels
... see default preset for more details

STATUS: IMPLEMENTED (source)

Implementation details

Kiddy is based on KHOOK which is kernel hooking library.

Hooking (or intercepting) kernel function allows to alter its behaviour thus it becomes possible to filter out data which goes from the kernel to processes via system calls.

The filtering decision is made as follows: filter data for all non-root processes OR root processes without tty. The later condition allows to handle hostnamectl cases by filtering out root services (which do not have a terminal).

Usage

[PRESET=<preset>] make
sudo insmod kiddy.ko

See presets for details.

Limitations

Doesn't help with dirtycow-like exploits.

Doesn't help with SUID-like user-mode exploits (sudo, pkexec & friends).

License

This software is licensed under the GPL.

Author

Ilya V. Matveychikov

2023, 2024

Footnotes

  1. CVE-20217-1000112