Kiddy - Linux Kernel identify spoofer
Kiddy module performs runtime Linux kernel modification so its futher identification will give irrelevant result.
Such modification serves the purpose of defeating kernel exploitation attempts as most of kernel exploits require the version of the kernel to be known to use the proper offsets1.
In other words, Kiddy changes current kernel identification and so implements security through obscurity.
It's obvious that kernel log has a lot of identification information. Exposing the information usually happen via dmesg or its underlying interfaces. Although, some modern systems already restrict non-privileged kernel log access, Kiddy enforces same restriction as well.
STATUS: IMPLEMENTED (source)
UTS namespace provide isolation of hostname and domainname via set/gethostname() and set/getdomainname() system call services. Besides that, UTS contains the following information: machine architecture, OS type and release information, kernel version:
enum uts_proc {
UTS_PROC_ARCH,
UTS_PROC_OSTYPE,
UTS_PROC_OSRELEASE,
UTS_PROC_VERSION,
UTS_PROC_HOSTNAME,
UTS_PROC_DOMAINNAME,
};
While is's possible to alter hostname and domainname values, other parameters are not changable but provide sensitive identification information via the following interfaces:
- procfs
- /proc/sys/kernel/{version,osrelease}
- syscalls
- sys_newuname(2)
- sys_uname(2)
- sys_olduname(2)
- hostnamectl
- calls systemd-hostnamed service via D-Bus remote API
NOTE: Current implementation takes care of kernel version and OS release information.
STATUS: IMPLEMENTED (source)
The vDSO (virtual dynamic shared object) is a small shared library that the kernel automatically maps into the address space of all user-space applications.
vDSO exposes LINUX_VERSION_CODE via .note section so must be handled.
STATUS: IMPLEMENTED (source)
Kernel version information:
/proc/cmdline
/proc/version
Some other files/directories to protect:
/boot
/lib/modules
/proc/modules
/proc/kallsyms
/proc/config.gz
/usr/src/kernels
... see default preset for more details
STATUS: IMPLEMENTED (source)
Kiddy is based on KHOOK which is kernel hooking library.
Hooking (or intercepting) kernel function allows to alter its behaviour thus it becomes possible to filter out data which goes from the kernel to processes via system calls.
The filtering decision is made as follows: filter data for all non-root processes OR root processes without tty. The later condition allows to handle hostnamectl cases by filtering out root services (which do not have a terminal).
[PRESET=<preset>] make
sudo insmod kiddy.ko
See presets for details.
Doesn't help with dirtycow-like exploits.
Doesn't help with SUID-like user-mode exploits (sudo, pkexec & friends).
This software is licensed under the GPL.
2023, 2024