OpenWall unveils kernel protection project

Guarding the kernel against unauthorised changes

By Richard Chirgwin

Posted in Software, 5th February 2018 08:02 GMT

The folk at OpenWall have called for assistance to create a security module to watch Linux kernels for suspicious activity.

In the company's explanation, the Linux Kernel Runtime Guard (LKRG) is described as a module that “attempts to post-detect and hopefully promptly respond to unauthorised modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection).”

Developed by Adam Zabrocki (@adam_pi3) and now championed by OpenWall, the first cut of the code landed last week.

It's imperfect for now and OpenWall admits it: “While LKRG defeats many pre-existing exploits of Linux kernel vulnerabilities, and will likely defeat many future exploits (including of yet unknown vulnerabilities) that do not specifically attempt to bypass LKRG, it is bypassable by design (albeit sometimes at the expense of more complicated and/or less reliable exploits).”

The LKRG wiki explains that it works by calculating hashes of important kernel regions, sections, and structures against the “internal database hashes”.

Ideally, LKRG should be run on a known-clean system (that is, after a brand-new install has been booted); it creates its trusted database of hashes against that environment, and uses those hashes to watch for changes.

As this is a first cut of the LKRG (as in, it's version 0.0), there's a substantial to-do list. Currently, it covers critical CPU/core data for x86 and amd64 architectures; the Linux Kernel .text section (the notes say “This covers almost [the] entire Linux kernel itself, like syscall tables, all procedures, all function, all IRQ handlers, etc”), the Linux kernel exception table, the read-only .rodata section, the IOMMU I/O mappings, and loaded modules.

OpenWall said LKRG has been tested in various scenarios, and at the same time, notes the kinds of limitations that apply:

“In our testing on vulnerable distro kernels LKRG successfully detected certain pre-existing exploits of CVE-2014-9322 (BadIRET), CVE-2017-5123 (waitid(2) missing access_ok), CVE-2017-6074 (use-after-free in DCCP protocol). However, it wouldn't be expected to detect exploits of CVE-2016-5195 (Dirty COW) since those directly target the userspace even if via the kernel”

Zabrocki also has a Patreon for the project. ®

Sign up to our NewsletterGet IT in your inbox daily

12 Comments

More from The Register

North Korea's finest spent 2017 distributing RATs, wipers, and phish

And sent them mostly to South Korea, naturally

Don't want to alarm you, but defence bods think North Korea could nuke UK 'within a few years'

Report on threat posed by rogue state demands more cash for government hackers

UK.gov joins Microsoft in fingering North Korea for WannaCry

I can’t go into the details of our intelligence, but...

Russian telco backs up North Korea's sole Internet link

Transtelecom can reach 256 North Korean hosts

North Korea attacks Bitcoin bods to swell its war chest says FireEye

BTC isn't explicitly covered by sanctions and Kim could launder it into useful currencies

South Korea fingers North for defence contractor hack

Navy builder popped.

North Korea clones Facebook, forgot to change default creds

Government that already spies on citizens decides it needs a social network

North Korean hackers allegedly probing US utilities for weaknesses

Spear phishing emails thought to be affiliated with Pyongyang sent to electricity firms

WannaCrypt 'may be the work of North Korea' theory floated

Lazarus rising again... or not

North Korea hacks 140k computers in planned mass attacks on Seoul

Defence docs raided.