back to article OpenWall unveils kernel protection project

The folk at OpenWall have called for assistance to create a security module to watch Linux kernels for suspicious activity. In the company's explanation, the Linux Kernel Runtime Guard (LKRG) is described as a module that “attempts to post-detect and hopefully promptly respond to unauthorised modifications to the running Linux …

  1. Anonymous South African Coward Bronze badge

    I have to assume they will also cater for updates, especially to the kernel etc? And how to handle it, especially if it is a headerless server running in some inaccessible place.

    Still remember the irritation of having to approve applications with some windows firewall/antivirus especially after windowsupdate did its thing (think it was zonealarm).

    1. Brian Miller

      I remember when McAfee did this with one of their products.

      They also have a "pro" version. If you don't want to bother with compiling it yourself, they'll do it for you.

      From reading their wiki, I wonder if this can be effectively integrated as they claim. How many kernel modules does this break?

  2. Christian Berger

    I am skeptical

    I mean unless this is extremely simple and very well written it's likely to actually increase the attack surface of the kernel. At least they admit the obvious that it's bapassable.

    1. Charles 9

      Re: I am skeptical

      At least they admit they're still at the "throw it against the wall" phase and are looking for input. I have to wonder as well how well a kernel guard can work against attacks either against itself or against elements below it like the hardware.

      1. Paul Crawford Silver badge

        Re: I am skeptical

        I think the key point is the kernel (in fact, most OS stuff) is simply too big and complicated to be correct. And so they are proposing a much simpler system to look for changes that should not happen as an indication of bugs or exploits being used. It is unlikely to stop the likes of GCHQ/NSA/FSB's best, but it is not a bad idea if it is small and reliable. A bit like Apparmor for additional protection against badly behaved (or compromised) daemons, web browsers, etc.

        Of course those in favour of provable microkernels will be gloating at this point, but they still have the problems of (a) lower level faults (CPU bugs, non-proven libraries, etc) and (b) no one really uses them for the sort of big jobs we generally want. That is dominated by Linux (monolithic monstrosity) and Windows (microkernel virginity long since lost).

        1. Glad Im Done with IT

          Re: I am skeptical

          So who is going to write the kernel module to monitor the activity of this thing then?

          LKRGG, LKRGG2 this is a silly idea.

  3. Anonymous Coward
    Holmes

    True protection requires a CPUs redesign

    Preferably, not made by Intel, AMD or ARM....

  4. Alister

    create a security module to watch Linux kernels for suspicious activity.

    Ah, a systemd sniffer?

    1. Alistair
      Joke

      @ Alister:

      If you've been sniffing systemd, I'd suggest a 28 day vacation.

      1. Alister

        @Alistair

        I've heard that sniffing systemd is terminal...

    2. Anonymous Coward
      Anonymous Coward

      People are watching

      Sounds a lot like a SELINUX kernel overlay. It is worth doing but I have to wonder what the performance hit is going to be.

  5. Anonymous Coward
    Anonymous Coward

    If you have an attack that can modify the kernel

    The first thing you'll modify is this "kernel modification detection" code, so it won't detect the changes you're making...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like