Recent Kernel exploits, attack surface reduction, example IPSEC

近期内核漏洞、攻击面缩减及 IPSEC 示例

Hi, Multiple of the recent kernel exploits have affected the “esp” Linux Kernel module. ESP is, as far as I understand, part of IPSEC, and I think it’s fair to say that IPSEC is not widely used these days. I think this raises some questions about attack surface. 大家好，近期多个内核漏洞都影响了 Linux 内核的“esp”模块。据我了解，ESP 是 IPSEC 的一部分，我认为可以公平地说，IPSEC 在当今的使用并不广泛。我认为这引发了一些关于攻击面的问题。

I want to note that I use IPSEC as an example here, but it likely applies in very similar ways to many features that are part of the Linux Kernel and are not used in most common setups. 我想指出，我在这里以 IPSEC 为例，但这很可能同样适用于 Linux 内核中许多在大多数常见配置中并未使用的功能。

For everyone who builds custom kernels and doesn’t use IPSEC, it’s probably a good idea to disable all IPSEC-related config options, e.g.: 对于所有构建自定义内核且不使用 IPSEC 的用户来说，禁用所有与 IPSEC 相关的配置选项可能是一个好主意，例如： CONFIG_INET_ESP CONFIG_INET6_ESP CONFIG_INET_AH CONFIG_INET6_AH

I believe IPCOM is also rarely used separately from IPSEC, so consider also disabling these: 我相信 IPCOMP 在脱离 IPSEC 时也极少被使用，因此也请考虑禁用以下选项： CONFIG_INET_IPCOMP CONFIG_INET6_IPCOMP

However, there’s a broader point here: I think it’s common these days that Linux distributions install most or all kernel modules by default, and loading them happens automatically. Which, in many cases, means people are potentially affected by security flaws in features they never use. 然而，这里有一个更广泛的问题：我认为如今 Linux 发行版默认安装大部分或全部内核模块并自动加载它们是很常见的现象。在许多情况下，这意味着用户可能会受到他们从未使用过的功能中的安全漏洞的影响。

“Attack surface reduction” is widely considered to be a good security principle, and I wonder if we can do better here. To pick the example of IPSEC, i wonder if it wouldn’t be better to have, e.g., a separate “linux-modules-ipsec” package that isn’t installed by default. People who use and need IPSEC will likely know that they need it, and can install it separately. “缩减攻击面”被广泛认为是一项良好的安全原则，我想知道我们是否能在这方面做得更好。以 IPSEC 为例，我想如果能有一个默认不安装的独立“linux-modules-ipsec”包，会不会更好？那些使用并需要 IPSEC 的人通常会知道他们需要它，并可以单独安装。

I’m aware this doesn’t come for free, and will add increased complexity to kernel packaging. But think about it like this: If we had that separation, three of the recent kernel local root exploits would’ve been much less impactful, and wouldn’t have affected most systems. 我意识到这并非没有代价，它会增加内核打包的复杂性。但请这样想：如果我们实现了这种分离，近期三个内核本地提权漏洞的影响将会小得多，也不会波及大多数系统。

— Hanno Böck - Independent security researcher — Hanno Böck - 独立安全研究员