aboutsummaryrefslogtreecommitdiffstats
path: root/docs/2_Architecture_Guides/2.2_Security_Blueprint/4_Kernel/1.2.4.4_Debug.md
blob: e34839f8d192136f3bd2669167bc8cdaef8fdda1 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251

---
title: Debug
---

# Debug

No debuggers shall be present on the file system. This includes, but is not
limited to, the GNU Debugger client/server (commonly known in their short form
names such as the `gdb` and `gdbserver` executable binaries respectively), the
`LLDB` next generation debugger or the `TCF` (Target Communications Framework)
agnostic framework. Including these binaries as part of the file system will
facilitate an attacker's ability to reverse engineer and debug (either locally
or remotely) any process that is currently executing on the device.

## Kernel debug symbols

Debug symbols should always be removed from production kernels as they provide a
lot of information to attackers.

<!-- section-config -->

Domain                 | `Config` name       | `Value`
---------------------- | ------------------- | -------
Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n`

<!-- end-section-config -->

These kernel debug symbols are enabled by other config items in the kernel. Care
should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be
disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best.

<!-- section-note -->

At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to
convert addresses in oops messages to line numbers.

<!-- end-section-note -->

--------------------------------------------------------------------------------

## Disable Kprobes

Kprobes enables you to dynamically break into any kernel routine and collect
debugging and performance information non-disruptively. You can trap at almost
any kernel code address, specifying a handler routine to be invoked when the
breakpoint is hit.

<!-- section-config -->

Domain                 | `Config` name    | `Value`
---------------------- | ---------------- | -------
Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable Tracing

FTrace enables the kernel to trace every kernel function. Providing kernel trace
functionality would assist an attacker in discovering attack vectors.

<!-- section-config -->

Domain                 | `Config` name   | `Value`
---------------------- | --------------- | -------
Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable Profiling

Profiling and OProfile enables profiling the whole system, include the kernel,
kernel modules, libraries, and applications. Providing profiling functionality
would assist an attacker in discovering attack vectors.

<!-- section-config -->

Domain                   | `Config` name      | `Value`
------------------------ | ------------------ | -------
Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE`  | `n`
Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable OOPS print on BUG()

The output from OOPS print can be helpful in Return Oriented Programming (ROP)
when trying to determine the effectiveness of an exploit.

<!-- section-config -->

Domain                   | `Config` name             | `Value`
------------------------ | ------------------------- | -------
Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable Kernel Debugging

There are development-only branches of code in the kernel enabled by the
`DEBUG_KERNEL` conf. This should be disabled to compile-out these branches.

<!-- section-config -->

Domain             | `Config` name         | `Value`
------------------ | --------------------- | -------
Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n`
Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED`     | `n`

<!-- end-section-config -->

In some kernel versions, disabling this requires also disabling
`CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it
impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS`
and `BUG`. In which case it is better to leave this enabled than enable the
others.

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Disable the kernel debug filesystem

The kernel debug filesystem presents a lot of useful information and means of
manipulation of the kernel to an attacker.

<!-- section-config -->

Domain                    | `Config` name     | `Value`
------------------------- | ----------------- | -------
Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable BUG() support

The kernel will display backtrace and register information for BUGs and WARNs in
kernel space, making it easier for attackers to develop exploits.

<!-- section-config -->

Domain             | `Config` name | `Value`
------------------ | ------------- | -------
Kernel-Debug-BUG-1 | `CONFIG_BUG`  | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

## Disable core dumps

Core dumps provide a lot of debug information for hackers. So disabling core
dumps are recommended in production builds.

This configuration is supported in **Linux 3.7 and greater** and thus should
only be disabled for such versions.

<!-- section-config -->

Domain                   | `Config` name     | `Value`
------------------------ | ----------------- | -------
Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n`

<!-- end-section-config -->

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Kernel Address Display Restriction

When attackers try to develop "run anywhere" exploits for kernel
vulnerabilities, they frequently need to know the location of internal kernel
structures. By treating kernel addresses as sensitive information, those
locations are not visible to regular local users.

**/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known
kernel address leaks.

<!-- section-config -->

Domain                       | `File` name                      | `Value`
---------------------------- | -------------------------------- | -------
Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1`

<!-- end-section-config -->

Additionally, various files and directories should be readable only by the root
user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`,
`/proc/slabinfo`

<!-- section-config -->

Domain                       | `File` or `Directorie` name | _State_
---------------------------- | --------------------------- | -----------------------------
Kernel-Debug-AdressDisplay-1 | `/boot/vmlinuz*`            | _Readable Only for root user_
Kernel-Debug-AdressDisplay-2 | `/boot/System.map*`         | _Readable Only for root user_
Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/`        | _Readable Only for root user_
Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo`            | _Readable Only for root user_

<!-- end-section-config -->

--------------------------------------------------------------------------------

## DMESG Restrictions

When attackers try to develop "run anywhere" exploits for vulnerabilities, they
frequently will use `dmesg` output. By treating `dmesg` output as sensitive
information, this output is not available to the attacker.

**/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as
sensitive.

<!-- section-config -->

Domain               | `File` name                       | `Value`
-------------------- | --------------------------------- | -------
Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1`

<!-- end-section-config -->

Enable the below compiler and linker options when building user-space
applications to avoid stack smashing, buffer overflow attacks.

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Disable /proc/config.gz

It is extremely important to not expose the kernel configuration used on a
production device to a potential attacker. With access to the kernel config, it
could be possible for an attacker to build a custom kernel for the device that
may disable critical security features.

<!-- section-config -->

Domain                | `Config` name     | `Value`
--------------------- | ----------------- | -------
Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n`

<!-- end-section-config -->