Skip to content
TCP ISN CPU Information Leak Protection. TCP Initial Sequence Numbers Randomization to prevent TCP ISN based CPU Information Leaks.
C Makefile
Branch: master
Clone or download
Pull request Compare This branch is 92 commits ahead of 0xsirus:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
debian bumped changelog version Jan 22, 2020
module Cleaned the code a little bit Jan 11, 2020
COPYING Create COPYING Nov 16, 2019
LICENSE
Makefile
README.md description Nov 28, 2019
changelog.upstream bumped changelog version Jan 22, 2020

README.md

TCP ISN CPU Information Leak Protection

TCP Initial Sequence Numbers Randomization to prevent TCP ISN based CPU Information Leaks.

The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked.

It may prove very dangerous for long-running cryptographic operations. [A]

Research has demonstrated that it can be used for de-anonymization of location-hidden services. [1]

Clock skew,

  • is leaked through TCP ISNs (Initial Sequence Number) by the Linux kernel.
  • can be remotely detected through observing ISNs.
  • can be induced by an attacker through producing load on the victim machine.

Quote Security researcher Steven J. Murdoch (University of Cambridge, Cambridge, UK) [B]

"What the Linux ISN leaks is the difference between two timestamps, not the timestamp itself. A difference lets you work out drift and skew, which can help someone fingerprint the computer hardware, its environment and load. Of course that only works if you can probe a computer, and maintain the same source/destination port and IP address."

Quote Mike Perry, developer at The Tor Project [A]:

"... it is worth complaining to the kernel developers for the simple reason that adding the 64ns timer post-hash probably does leak side channels about CPU activity, and that may prove very dangerous for long-running cryptographic operations (along the lines of the hot-or-not issue). Unfortunately, someone probably needs to produce more research papers before they will listen."

tirdad (pronounce /tērdäd/) is a kernel module to hot-patch the Linux kernel to generate random TCP Initial Sequence Numbers for IPv4 TCP connections.

You can refer to this bog post to get familiar with the original issue:

This metapackage depends on tirdad-dkms.

References:

How to install tirdad using apt-get

1. Download Whonix's Signing Key.

wget https://www.whonix.org/patrick.asc

Users can check Whonix Signing Key for better security.

2. Add Whonix's signing key.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

3. Add Whonix's APT repository.

echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

4. Update your package lists.

sudo apt-get update

5. Install tirdad.

sudo apt-get install tirdad

How to Build deb Package

Any standard Debian build tools can be used. For example. Quick and easy.

dpkg-buildpackage -b

Contact

Donate

tirdad requires donations to stay alive!

You can’t perform that action at this time.