Linux Kernel Runtime Guard 0.9.1 Is Released

"Shared/cloud hosting providers and their users. Security enthusiasts. Security-hardened distros."

"Generally, no. There isn't much local security on typical Linux desktop systems/distros anyway, in the way those systems are configured and used, irrespective of any locally exploitable Linux kernel vulnerabilities. Thus, adding LKRG would result in inconsistent security. Specifically, on a typical single-user Linux desktop system there's that one user account that uses "sudo" to access root, so it is effectively root-equivalent (only different from root in terms of safety from mistakes, not really in terms of security). LKRG does provide some relevant security hardening to such systems anyway - it might detect a web browser vulnerability exploit trying to escape the web browser's sandbox - so it could help e.g. a vulnerable system withstand web browser attacks in the Pwn2Own contest. However, that's not how most end-user systems are actually compromised (when they are).

A security enthusiast can very well reasonably use LKRG on their desktop system, though, primarily for consistency with their other systems, and for advance testing of kernel+LKRG combinations prior to deployment on the servers the person manages."

"Not necessarily "all kinds", but generally yes. LKRG helps on systems where there are multiple users (or at least pseudo-users for multiple services), and especially where kernels might not be updated or rebooted into in a timely manner after new vulnerabilities are discovered."

"No, it is primarily for servers that provide much more than firewall functionality. It isn't nearly as useful on firewalls - not much need for local security when the device does just one thing anyway. However, with web-managed firewalls and such this gets nuanced - the web server is a separate service, hopefully running in its privilege-separated context from the actual firewall functionality (wishful thinking?) and LKRG can help harden that separation."

"The following major changes have been made between LKRG 0.9.0 and 0.9.1:

• Support CONFIG_HAVE_STATIC_CALL on Linux 5.10+
• Fix SELinux integrity violation false positive bug (introduced into LKRG in March 2021 and manifesting itself on Linux 4.17+ when SELinux is already in enforcing mode when LKRG is loaded)
• Improve systemd service and its installation, add /etc/sysctl.d/lkrg.conf
• Add the debian/ directory in order to support the Debian build system based on pbuilder/dpkg-buildpackage"

"RT kernels are not supported primarily because their use cases and priorities are inconsistent with LKRG's - it's safety vs. security. Usually safety and security go hand in hand, but in the case of LKRG it's a tradeoff. Besides, this would be more work for us, and yes there are also performance considerations, but these concerns are secondary."

"The idea of writing something like LKRG had been growing in my mind for quite a long time. The first serious attempts to write something similar date back to 2009 and my work at CERN. However, the decision to write the first line of LKRG code with its current functionality (more advanced compared to 2009) I made in 2015. The first version of LKRG (0.0) was released in February 2018 under Openwall umbrella.

As you can see, I was struggling with myself as to whether there was a need for such project. It took me some time to convince myself that it's something important and needed. The answer to your question "why did I write LKRG" is the same as what arguments convinced me to pull the trigger and create LKRG. There are several of them:

• I've been an Offensive Security Engineer focusing on rootkits and exploits for some time (since 2003/2004). I've realized that in principle many of the techniques of "infecting" the Linux kernel did not change at all for the last 20+ years. The same applies to many kernel exploitation techniques.
• Other OSes have been facing similar problems as well. However, they tried to address them and some of the solutions have been developed. Those are not perfect, there are some ways to bypass them (although it's not cheap), but it's better than being open to the same 20+ years old techniques.
• Over the years, I've learned that even if some of the protections are imperfect, they can significantly hurt reliability of exploitation or make it harder. In most cases this is good enough to stop mass attacks - those not targeting specific users - and thus protect the users.
• I've also learned that most of the time people who write rootkits or exploits are not the same people who use them. If during an attack the latter people face non-trivial protection or an exploit is not reliable enough (e.g., due to LKRG), they won't be able to or won't bother to adjust the tools and will move on to another target.
• However, even if they are able and willing to adjust the tools, it might be already too late since LKRG will take appropriate action (e.g., panic the kernel), which will be visible to the owner of the system.

It is worth adding that as far as I'm aware, all of the anti-exploitation / security technologies (including mitigations) follow the same path and are generally by-passable, e.g.:

• Firewalls are commonly trivial to bypass, but you still use them
• Antiviruses are trivial to bypass, but people pay money for them
• Mitigations:
  • ASLR and especially KASLR are easy to bypass, but people still want to have them enabled in the system
  • Non-executable memory is easy to bypass, but people still want to have it enabled in the system
  • SMEP is easy to bypass, but people still want to have it enabled in the system
  • Stack cookies are bypassable but people still compile binaries with them
  • RelRO are bypassable but people still enable that flag
• Any anti-threat technology (e.g., Capsule8, Crowdstrike, WDATP, and many others) can be bypassed or completely disabled (some of them run in user mode), but people pay a lot of money to use them

LKRG is no different here, except for the "price" part, since many of these technologies are not available for free.

Taking all these into account, I came to the conclusion that LKRG can improve Linux ecosystem and bring useful security functionalities that everyone can benefit from. It will also bring some of the "comparable functionality" from other OSes into the Linux world, like Patch Guard, Advanced Threat Protection (ATP), monitoring, and more:

• https://en.wikipedia.org/wiki/Kernel_Patch_Protection
• https://digitalguardian.com/blog/what-advanced-threat-protection-atp"

"As far as we're aware, currently it's security enthusiasts and security hardened distros. We also see interest from security hardened mobile distros (for smartphones and such), but we're not aware of specific uses in those yet (there might be some)."

"Apples to oranges. These are orthogonal, and can reasonably co-exist.

SELinux is a Linux kernel mechanism to enforce policies in the userspace, assuming that the kernel itself is not compromised. SELinux generally doesn't protect the kernel from getting compromised via kernel vulnerabilities, and is generally completely ineffective afterwards. Further, even in absence of Linux kernel vulnerabilities, SELinux is only effective as far as its policies configured on the system are - thus, it generally won't protect a service it's unaware of (has no policy written for).

LKRG is a mechanism to protect the Linux kernel itself, in case the kernel is vulnerable and is (almost) compromised by an attack on it. LKRG is a last-resort defense for the kernel, trying to catch attacks on the kernel that have almost succeeded."

"We don't intend to ever make LKRG non-free only. We might (or might not) introduce a non-free version, but if we do we intend to also continue with the free software versions."