Skip to content

Latest commit

 

History

History
110 lines (76 loc) · 3.47 KB

README.md

File metadata and controls

110 lines (76 loc) · 3.47 KB

TCP ISN CPU Information Leak Protection

TCP Initial Sequence Numbers Randomization to prevent TCP ISN based CPU Information Leaks.

The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked.

It may prove very dangerous for long-running cryptographic operations. [A]

Research has demonstrated that it can be used for de-anonymization of location-hidden services. [1]

Clock skew,

  • is leaked through TCP ISNs (Initial Sequence Number) by the Linux kernel.
  • can be remotely detected through observing ISNs.
  • can be induced by an attacker through producing load on the victim machine.

Quote Security researcher Steven J. Murdoch (University of Cambridge, Cambridge, UK) [B]

"What the Linux ISN leaks is the difference between two timestamps, not the timestamp itself. A difference lets you work out drift and skew, which can help someone fingerprint the computer hardware, its environment and load. Of course that only works if you can probe a computer, and maintain the same source/destination port and IP address."

Quote Mike Perry, developer at The Tor Project [A]:

"... it is worth complaining to the kernel developers for the simple reason that adding the 64ns timer post-hash probably does leak side channels about CPU activity, and that may prove very dangerous for long-running cryptographic operations (along the lines of the hot-or-not issue). Unfortunately, someone probably needs to produce more research papers before they will listen."

tirdad is a kernel module to hot-patch the Linux kernel to generate random TCP Initial Sequence Numbers for IPv4 TCP connections.

You can refer to this bog post to get familiar with the original issue:

This metapackage depends on tirdad-dkms.

References:

How to install tirdad using apt-get

1. Download Whonix's Signing Key.

wget https://www.whonix.org/patrick.asc

Users can check Whonix Signing Key for better security.

2. Add Whonix's signing key.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

3. Add Whonix's APT repository.

echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

4. Update your package lists.

sudo apt-get update

5. Install tirdad.

sudo apt-get install tirdad

How to Build deb Package

Any standard Debian build tools can be used. For example. Quick and easy.

dpkg-buildpackage -b

Contact

Donate

tirdad requires donations to stay alive!