From 9cc56459419f1225f5e9851825ad305424b3d6fb Mon Sep 17 00:00:00 2001 From: Shankho Boron Ghosh Date: Wed, 18 Nov 2020 19:55:02 +0530 Subject: Revision of Architecture Guides v1: Introduction : Skeleton file of Build Process [WIP]. Security Blueprint : Multiple markdowns appended into single markdown. v2: Security Blueprint : 4_Kernel.md - Fixed Internal Link. Annexes.md - Uniform markdown Title. Bug-AGL: [SPEC-3633] Signed-off-by: Shankho Boron Ghosh Change-Id: I1ab478348a05464612d67f0e8a4570bda309022d Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/documentation/+/25586 Reviewed-by: Jan-Simon Moeller Tested-by: Jan-Simon Moeller --- .../4_Kernel/1.2.4.4_Debug.md | 251 --------------------- 1 file changed, 251 deletions(-) delete mode 100644 docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md (limited to 'docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md') diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md deleted file mode 100644 index e34839f..0000000 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md +++ /dev/null @@ -1,251 +0,0 @@ ---- -title: Debug ---- - -# Debug - -No debuggers shall be present on the file system. This includes, but is not -limited to, the GNU Debugger client/server (commonly known in their short form -names such as the `gdb` and `gdbserver` executable binaries respectively), the -`LLDB` next generation debugger or the `TCF` (Target Communications Framework) -agnostic framework. Including these binaries as part of the file system will -facilitate an attacker's ability to reverse engineer and debug (either locally -or remotely) any process that is currently executing on the device. - -## Kernel debug symbols - -Debug symbols should always be removed from production kernels as they provide a -lot of information to attackers. - - - -Domain | `Config` name | `Value` ----------------------- | ------------------- | ------- -Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n` - - - -These kernel debug symbols are enabled by other config items in the kernel. Care -should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be -disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best. - - - -At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to -convert addresses in oops messages to line numbers. - - - --------------------------------------------------------------------------------- - -## Disable Kprobes - -Kprobes enables you to dynamically break into any kernel routine and collect -debugging and performance information non-disruptively. You can trap at almost -any kernel code address, specifying a handler routine to be invoked when the -breakpoint is hit. - - - -Domain | `Config` name | `Value` ----------------------- | ---------------- | ------- -Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n` - - - --------------------------------------------------------------------------------- - -## Disable Tracing - -FTrace enables the kernel to trace every kernel function. Providing kernel trace -functionality would assist an attacker in discovering attack vectors. - - - -Domain | `Config` name | `Value` ----------------------- | --------------- | ------- -Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n` - - - --------------------------------------------------------------------------------- - -## Disable Profiling - -Profiling and OProfile enables profiling the whole system, include the kernel, -kernel modules, libraries, and applications. Providing profiling functionality -would assist an attacker in discovering attack vectors. - - - -Domain | `Config` name | `Value` ------------------------- | ------------------ | ------- -Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE` | `n` -Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n` - - - --------------------------------------------------------------------------------- - -## Disable OOPS print on BUG() - -The output from OOPS print can be helpful in Return Oriented Programming (ROP) -when trying to determine the effectiveness of an exploit. - - - -Domain | `Config` name | `Value` ------------------------- | ------------------------- | ------- -Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n` - - - --------------------------------------------------------------------------------- - -## Disable Kernel Debugging - -There are development-only branches of code in the kernel enabled by the -`DEBUG_KERNEL` conf. This should be disabled to compile-out these branches. - - - -Domain | `Config` name | `Value` ------------------- | --------------------- | ------- -Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n` -Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED` | `n` - - - -In some kernel versions, disabling this requires also disabling -`CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it -impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS` -and `BUG`. In which case it is better to leave this enabled than enable the -others. - --------------------------------------------------------------------------------- - - - -## Disable the kernel debug filesystem - -The kernel debug filesystem presents a lot of useful information and means of -manipulation of the kernel to an attacker. - - - -Domain | `Config` name | `Value` -------------------------- | ----------------- | ------- -Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n` - - - --------------------------------------------------------------------------------- - -## Disable BUG() support - -The kernel will display backtrace and register information for BUGs and WARNs in -kernel space, making it easier for attackers to develop exploits. - - - -Domain | `Config` name | `Value` ------------------- | ------------- | ------- -Kernel-Debug-BUG-1 | `CONFIG_BUG` | `n` - - - --------------------------------------------------------------------------------- - -## Disable core dumps - -Core dumps provide a lot of debug information for hackers. So disabling core -dumps are recommended in production builds. - -This configuration is supported in **Linux 3.7 and greater** and thus should -only be disabled for such versions. - - - -Domain | `Config` name | `Value` ------------------------- | ----------------- | ------- -Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n` - - - --------------------------------------------------------------------------------- - - - -## Kernel Address Display Restriction - -When attackers try to develop "run anywhere" exploits for kernel -vulnerabilities, they frequently need to know the location of internal kernel -structures. By treating kernel addresses as sensitive information, those -locations are not visible to regular local users. - -**/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known -kernel address leaks. - - - -Domain | `File` name | `Value` ----------------------------- | -------------------------------- | ------- -Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1` - - - -Additionally, various files and directories should be readable only by the root -user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`, -`/proc/slabinfo` - - - -Domain | `File` or `Directorie` name | _State_ ----------------------------- | --------------------------- | ----------------------------- -Kernel-Debug-AdressDisplay-1 | `/boot/vmlinuz*` | _Readable Only for root user_ -Kernel-Debug-AdressDisplay-2 | `/boot/System.map*` | _Readable Only for root user_ -Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/` | _Readable Only for root user_ -Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo` | _Readable Only for root user_ - - - --------------------------------------------------------------------------------- - -## DMESG Restrictions - -When attackers try to develop "run anywhere" exploits for vulnerabilities, they -frequently will use `dmesg` output. By treating `dmesg` output as sensitive -information, this output is not available to the attacker. - -**/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as -sensitive. - - - -Domain | `File` name | `Value` --------------------- | --------------------------------- | ------- -Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1` - - - -Enable the below compiler and linker options when building user-space -applications to avoid stack smashing, buffer overflow attacks. - --------------------------------------------------------------------------------- - - - -## Disable /proc/config.gz - -It is extremely important to not expose the kernel configuration used on a -production device to a potential attacker. With access to the kernel config, it -could be possible for an attacker to build a custom kernel for the device that -may disable critical security features. - - - -Domain | `Config` name | `Value` ---------------------- | ----------------- | ------- -Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n` - - -- cgit 1.2.3-korg