7 ## Restrict access to kernel memory
9 The /dev/kmem file in Linux systems is directly mapped to kernel virtual memory.
10 This can be disastrous if an attacker gains root access, as the attacker would
11 have direct access to kernel virtual memory.
13 To disable the /dev/kmem file, which is very infrequently used by applications,
14 the following kernel option should be set in the compile-time kernel
17 <!-- section-config -->
19 Domain | `Config` name | `Value`
20 ------------------------------ | ---------------- | -------
21 Kernel-Memory-RestrictAccess-1 | `CONFIG_DEVKMEM` | `n`
23 <!-- end-section-config -->
25 In case applications in userspace need /dev/kmem support, it should be available
26 only for authenticated applications.
28 --------------------------------------------------------------------------------
30 ## Disable access to a kernel core dump
32 This kernel configuration disables access to a kernel core dump from user space.
33 If enabled, it gives attackers a useful view into kernel memory.
35 <!-- section-config -->
37 Domain | `Config` name | `Value`
38 ------------------------ | ------------------- | -------
39 Kernel-Memory-CoreDump-1 | `CONFIG_PROC_KCORE` | `n`
41 <!-- end-section-config -->
43 --------------------------------------------------------------------------------
47 If not disabled, attackers can enable swap at runtime, add pressure to the
48 memory subsystem and then scour the pages written to swap for useful
51 <!-- section-config -->
53 Domain | `Config` name | `Value`
54 -------------------- | ------------- | -------
55 Kernel-Memory-Swap-1 | `CONFIG_SWAP` | `n`
57 <!-- end-section-config -->
61 - Enabling swap at runtime require `CAP_SYS_ADMIN`.
62 - Swap block device is usually under root:disk.
63 - Linux never swaps kernel pages.
64 - If swap disabling is not possible, swap encryption should be enabled.
66 <!-- end-section-note -->
68 --------------------------------------------------------------------------------
72 ## Disable "Load All Symbols"
74 There is a /proc/kallsyms file which exposes the kernel memory space address of
75 many kernel symbols (functions, variables, etc...). This information is useful
76 to attackers in identifying kernel versions/configurations and in preparing
77 payloads for the exploits of kernel space.
79 Both `KALLSYMS_ALL` and `KALLSYMS` shall be disabled;
81 <!-- section-config -->
83 Domain | `Config` name | `Value`
84 ------------------------------ | --------------------- | -------
85 Kernel-Memory-LoadAllSymbols-1 | `CONFIG_KALLSYMS` | `n`
86 Kernel-Memory-LoadAllSymbols-2 | `CONFIG_KALLSYMS_ALL` | `n`
88 <!-- end-section-config -->
90 --------------------------------------------------------------------------------
94 To prevent stack-smashing, similar to the stack protector used for ELF programs
95 in user-space, the kernel can protect its internal stacks as well.
97 This configuration is supported in **Linux 3.11 and greater** and thus should
98 only be enabled for such versions.
100 This configuration also requires building the kernel with the **gcc compiler 4.2
103 <!-- section-config -->
105 Domain | `Config` name | `Value`
106 --------------------- | -------------------------- | -------
107 Kernel-Memory-Stack-1 | `CONFIG_CC_STACKPROTECTOR` | `y`
109 <!-- end-section-config -->
111 Other defenses include things like shadow stacks.
113 --------------------------------------------------------------------------------
115 ## Disable access to /dev/mem
117 The /dev/mem file in Linux systems is directly mapped to physical memory. This
118 can be disastrous if an attacker gains root access, as the attacker would have
119 direct access to physical memory through this convenient device file. It may not
120 always be possible to disable such file, as some applications might need such
121 support. In that case, then this device file should be available only for
122 authenticated applications.
124 This configuration is supported in **Linux 4.0 and greater** and thus should
125 only be disabled for such versions.
127 <!-- section-config -->
129 Domain | `Config` name | `Value`
130 ---------------------- | --------------- | -------
131 Kernel-Memory-Access-1 | `CONFIG_DEVMEM` | `n`
133 <!-- end-section-config -->
135 --------------------------------------------------------------------------------
139 ## Disable cross-memory attach
141 Disable the process_vm_*v syscalls which allow one process to peek/poke the
142 virtual memory of another.
144 This configuration is supported in **Linux 3.5 and greater** and thus should
145 only be disabled for such versions.
147 <!-- section-config -->
149 Domain | `Config` name | `Value`
150 ------------------------------ | --------------------- | -------
151 Kernel-Memory-CrossMemAttach-1 | `CROSS_MEMORY_ATTACH` | `n`
153 <!-- end-section-config -->
155 --------------------------------------------------------------------------------
157 ## Stack Smashing Attacks
159 <!-- section-config -->
161 Domain | `compiler` and `linker` options | _State_
162 ----------------------------- | ------------------------------- | --------
163 Kernel-Memory-StackSmashing-1 | `-fstack-protector-all` | _Enable_
165 <!-- end-section-config -->
167 Emit extra code to check for buffer overflows, such as stack smashing attacks.
169 --------------------------------------------------------------------------------
171 ## Detect Buffer Overflows
173 <!-- section-config -->
175 Domain | `compiler` options and `config` name | `Value`
176 ------------------------------- | ------------------------------------ | -------
177 Kernel-Memory-BufferOverflows-1 | `-D_FORTIFY_SOURCE` | `2`
178 Kernel-Memory-BufferOverflows-2 | `CONFIG_FORTIFY_SOURCE` | `y`
180 <!-- end-section-config -->
182 Helps detect some buffer overflow errors.