OpenWall unveils kernel protection project

Guarding the kernel against unauthorised changes

By Richard Chirgwin


The folk at OpenWall have called for assistance to create a security module to watch Linux kernels for suspicious activity.

In the company's explanation, the Linux Kernel Runtime Guard (LKRG) is described as a module that “attempts to post-detect and hopefully promptly respond to unauthorised modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection).”

Developed by Adam Zabrocki (@adam_pi3) and now championed by OpenWall, the first cut of the code landed last week.

It's imperfect for now and OpenWall admits it: “While LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG, it is bypassable by design (albeit sometimes at the expense of more complicated and/or less reliable exploits).”

The LKRG wiki explains that it works by calculating hashes of important kernel regions, sections, and structures against the “internal database hashes”.

Ideally, LKRG should be run on a known-clean system (that is, after a brand-new install has been booted); it creates its trusted database of hashes against that environment, and uses those hashes to watch for changes.

As this is a first cut of the LKRG (as in, it's version 0.0), there's a substantial to-do list. Currently, it covers critical CPU/core data for x86 and amd64 architectures; the Linux Kernel .text section (the notes say “This covers almost [the] entire Linux kernel itself, like syscall tables, all procedures, all function, all IRQ handlers, etc”), the Linux kernel exception table, the read-only .rodata section, the IOMMU I/O mappings, and loaded modules.

OpenWall said LKRG has been tested in various scenarios, and at the same time, notes the kinds of limitations that apply:

“In our testing on vulnerable distro kernels LKRG successfully detected certain pre-existing exploits of CVE-2014-9322 (BadIRET), CVE-2017-5123 (waitid(2) missing access_ok), CVE-2017-6074 (use-after-free in DCCP protocol). However, it wouldn't be expected to detect exploits of CVE-2016-5195 (Dirty COW) since those directly target the userspace even if via the kernel”

Zabrocki also has a Patreon for the project. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

South Korea reckons mystery hackers cracked open advanced weapons servers

No idea who could have been behind this one...

US Treasury goes after IT shops for funneling cash to North Korea

Meanwhile, Norks deny Sony hacker ever existed

'Desperate' North Korea turns to bank hacking sprees to rake in much-needed dosh

State-sponsored intrusions meets financial acquisition with APT38

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

North Korea's finest spent 2017 distributing RATs, wipers, and phish

And sent them mostly to South Korea, naturally

Don't want to alarm you, but defence bods think North Korea could nuke UK 'within a few years'

Report on threat posed by rogue state demands more cash for government hackers

North Korea's antivirus software whitelisted mystery malware

'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto joins Microsoft in fingering North Korea for WannaCry

I can’t go into the details of our intelligence, but...

Russian telco backs up North Korea's sole Internet link

Transtelecom can reach 256 North Korean hosts

North Korea attacks Bitcoin bods to swell its war chest says FireEye

BTC isn't explicitly covered by sanctions and Kim could launder it into useful currencies