1. 9

Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel. As controversial as this concept is, LKRG attempts to post-detect and hopefully promptly respond to unauthorized modifications to the running Linux kernel (integrity checking) or to credentials (such as user IDs) of the running processes (exploit detection). For process credentials, LKRG attempts to detect the exploit and take action before the kernel would grant the process access (such as open a file) based on the unauthorized credentials.

Mailing list announcement


  2. 5

    … we might introduce paid LKRG Pro…

    – Openwall: bringing security into open environments


    1. 3

      Wait, so they’re putting some code in kernel mode to protect the kernel from things that hit it aiming for full read and write access to kernel code? Wouldn’t that…

      “it is bypassable by design (albeit sometimes at the expense of more complicated and/or less reliable exploits). Thus, it can be said that LKRG provides security through diversity”

      …only work if they didn’t know this feature existed? Yep. On top of it, the description implies they’re way behind CompSci and high-sec again since almost all of the latter are doing this stuff at the hypervisor layer to reduce bypass opportunities. The first I saw that wasn’t complicated was SecVisor in 2007 which turned into TrustVisor in 2010. Later, CompSci had solutions using the OS or maybe hypervisor to process stuff while they remain untrusted. I never quite bought into that since too many interactions with malicious stuff on same hardware. Separation kernels just isolating the apps is still strongest model since they rely on simple mechanisms. INTEGRITY-178B, Muen, and GenodeOS use that model.