Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Open Source Security Linux

LKRG: A Loadable Linux Kernel Module for Runtime Integrity Checking (bleepingcomputer.com) 36

An anonymous reader quotes BleepingComputer: Members of the open source community are working on a new security-focused project for the Linux kernel. Named Linux Kernel Runtime Guard (LKRG), this is a loadable kernel module that will perform runtime integrity checking of the Linux kernel. Its purpose is to detect exploitation attempts for known security vulnerabilities against the Linux kernel and attempt to block attacks. LKRG will also detect privilege escalation for running processes, and kill the running process before the exploit code runs.

Since the project is in such early development, current versions of LKRG will only report kernel integrity violations via kernel messages, but a full exploit mitigation system will be deployed as the system matures... While LKRG will remain an open source project, LKRG maintainers also have plans for an LKRG Pro version that will include distro-specific LKRG builds and support for the detection of specific exploits, such as container escapes. The team plans to use the funds from LKRG Pro to fund the rest of the project.

The first public version of LKRG -- LKRG v0.0 -- is now live and available for download on this page. A wiki is also available here, and a Patreon page for supporting the project has also been set up. LKRG kernel modules are currently available for main Linux distros such as RHEL7, OpenVZ 7, Virtuozzo 7, and Ubuntu 16.04 to latest mainlines.

This discussion has been archived. No new comments can be posted.

LKRG: A Loadable Linux Kernel Module for Runtime Integrity Checking

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Sunday February 04, 2018 @08:01PM (#56068145)
    A loadable Linux kernel module to check the run-time integrity of LKRG. It will be modules all the way down [wikipedia.org] from there ...
  • by Mister Liberty ( 769145 ) on Sunday February 04, 2018 @08:46PM (#56068281)
    that doesn't like their 'business' model, the 'whatever Pro' thingy?
    • They could make the Pro version free for personal use. Or reduced cost. A lot of developers/companies only charge businesses and government for their products.

      If they decide to charge for personal use, then we'll have to look at the software to see if the free version is worthwhile on its own merits.

      I don't begrudge them a revenue stream. If they're doing this more as a job than a hobby, good for them.

  • I thought it was settled that you cannot defend against an attacker that loaded before your code, possibly with higher privileges.

    Hence you have a hard time dealing with new threat, that you do not detect once, and that is there before you load an updated module.

    • by Z00L00K ( 682162 )

      Like if you run the OS in a virtual environment - how can you trust the virtualization engine to not be compromised? Classic Blue Pill [wikipedia.org] attack.

  • by Anonymous Coward

    Ok this is probably a stupid question but I don't understand why this is useful.

    If they're going to protect against known exploits then not just fix the exploit?

    Were there problems getting the fix accepted in the mainstream kernel, or is this for honeypots to watch exploit attempts? Who wants this and why?

    • by Anonymous Coward

      From TFS:

      Peslyak says LKRG is most suited for Linux machines that can't be rebooted right in the aftermath of a security flaw to patch the kernel. LKRG allows owners to continue to run the machine with a security measure in place until patches for critical vulnerabilities can be tested and deployed during planned maintenance windows.

  • Has anyone seen something like 'Tripwire' making it to a standard distro? That could actually be useful and it would be relatively easy to implement. Therefore, I'm wondering why nobody seems to bother?
  • Interesting project, however now i wonder how many people will opt for using this module (which could be easily activated & used) instead of properly patching their systems.

    The module only detects known vulnerabilities, if you are running a tight ship, you should be all patched and what use does this have then?

    • Interesting project, however now i wonder how many people will opt for using this module (which could be easily activated & used) instead of properly patching their systems.

      Yes, we share this concern. What matters even more: will fewer or more systems get compromised as a result? Or even: will the cumulative damage of those compromises decrease or increase? We have no answers to these, yet we feel that an imperfect security measure like this may have its reasonable uses on some systems.

      The module only detects known vulnerabilities, if you are running a tight ship, you should be all patched and what use does this have then?

      "Only detects known vulnerabilities" is an error in the BleepingComputer article, but regardless - yes, ideally you should be all patched, but realistically you might not be and there might be y

  • FFS, what on earth is this good for? Just fix the damn vulnerability in the kernel and be done with it.

Houston, Tranquillity Base here. The Eagle has landed. -- Neil Armstrong

Working...