LKRG Esm W900

Openwall recently announced the release of LKRG (Linux Kernel Runtime Guard) 0.9.0, featuring a host of major changes and improvements, as well as fixes for multiple security bugs. LKRG is a kernel module that performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.

In an email sent to the LKRG Users List announcing the release of LKRG 0.9.0, Openwall Founder Alexander Peslyak (known by many as “Solar Designer”) outlines the major changes that have been made between LKRG 0.8.1 and 0.9.0, and explains the significance of these updates:

 

 *) Support new mainline kernel versions 5.8 to 5.12 (inclusive) and new stable

    kernels 5.4.87+ (which include some back-ports from 5.8+)

 *) Support new RHEL kernels up to RHEL 8.4's (inclusive)

 *) Support building LKRG in the kernel tree (not only as a standalone module),

    as a module or linking into the kernel image (see scripts/copy-builtin.sh)

 *) Support CONFIG_FUNCTION_TRACER with or without CONFIG_DYNAMIC_FTRACE

 *) Support various CONFIG_OPTPROBES configurations

 *) Support loading overlayfs[2] after LKRG (e.g., by Docker; previously, the

    overlayfs[2] module had to be loaded before LKRG for Docker to work)

 *) "Support" CONFIG_GCC_PLUGIN_RANDSTRUCT (don't monitor SELinux if enabled)

 *) Explicitly do not support RT kernels

 *) Fix support for 32-bit x86 (was unintentionally broken in LKRG for ages,

    but could mostly work on many pre-5.7 kernel and LKRG builds by "luck")

 *) Fix detection of process user/group ID corruption to cover any unexpected

    changes (previously, only numerically lower new IDs, as exploits normally

    use, would be detected - a limitation left over from early LKRG testing)

 *) Fix logging of WP/SMEP/SMAP violations on systems with SMAP in the "log and

    accept" mode (previously, one such violation could mute logging of others)

 *) Add detection of ADDR_LIMIT corruption attacks

 *) Remove validation of waking-up tasks (drop pint_validate=2)

 *) Replace execve(2) hooks (instead hook security_bprm_committing_creds and

    security_bprm_committed_creds, which shortens the race window for exploits)

 *) Replace ptrace(2) hooks (instead hook security_ptrace_access)

 *) Simplify UMH blocking and make it compatible with CPA-protected pages

 *) Simplify and speed up do_exit hook (no need to validate a dying process)

 *) Many other changes under the hood to make LKRG easier to maintain and debug

 *) Integrate LKRG with out-of-tree (a tool to assist kernel module testing)

 *) Integrate LKRG with mkosi (systemd's tool for generating a test boot image)

 *) Continuous Integration setup: boot tests on GitHub Actions using mkosi

    (with Ubuntu's release kernels and their daily builds of mainline kernels)

 

As you can see, we had to make changes to support Linux kernels newer

than those available at the time of previous release.  Almost every

major kernel release, and some back-ports too, broke compatibility with

LKRG.  Since we did not make new LKRG releases, people with those newer

kernels were advised (on the LKRG homepage and otherwise) to use our

latest code off GitHub, which we tried to keep in a stable state (lately

in part through use of Continuous Integration).  We also preserved

support for all of the old kernels we supported previously (RHEL7, etc.)

 

LKRG 0.8.1 was already smaller than 0.8, and with 0.9 the LKRG source

code became a bit smaller again (at least in terms of line count) due to

the simplifications we made, despite of significant additions:

 

$ git diff --shortstat v0.8.1..v0.9.0

 126 files changed, 3919 insertions(+), 4375 deletions(-)

 

Also, perhaps in part due to our move to GitHub, we started to receive

more direct contributions to LKRG development (GitHub pull requests).

The full list of direct contributors to this release is:

 

$ git shortlog -sn v0.8.1..v0.9.0

    67  Adam 'pi3' Zabrocki

    15  Solar Designer

    12  Mariusz Zaborski

     7  Vladimir D. Seleznev

     5  0xC0ncord

     5  RageLtMan

     5  Vitaly Chikunov

     2  F0x1fy

     1  William

     1  disrupttheflow

 

I'd like to specifically highlight the contribution of support for

building LKRG in-tree (scripts/copy-builtin.sh and related testing) by

RageLtMan and the contribution of mkosi integration and Continuous

Integration setup by Vitaly Chikunov.  I'd also like to highlight

Mikhail Klementev's offer to use his out-of-tree framework, which Adam

eventually added the integration for.

 

The announcement also mentions various Linux kernel issues that LKRG principal developer Adam 'pi3' Zabrocki discovered in the development and testing of LKRG:

 

During LKRG development and testing I've found 7 Linux kernel bugs, 4 of them

have CVE numbers (however, 1 CVE number covers 2 bugs):

 

CVE-2021-3411  - Linux kernel: broken KRETPROBES and OPTIMIZER

CVE-2020-27825 - Linux kernel: Use-After-Free in the ftrace ring buffer

                 resizing logic due to a race condition

CVE-2020-25220 - Linux kernel Use-After-Free in backported patch for

                 CVE-2020-14356 (affected kernels: 4.9.x before 4.9.233,

                 4.14.x before 4.14.194, and 4.19.x before 4.19.140)

CVE-2020-14356 - Linux kernel Use-After-Free in cgroup BPF component (affected

                 kernels: since 4.5+ up to 5.7.10)

 

I've also found 2 other issues related to the ftrace UAF bug (CVE-2020-27825):

 

- Deadlock issue which was not really addressed and devs said they will take a

  look and there are not many updates on that.

- Problem with the code related to hwlatd kernel thread - it is incorrectly

  synchronizing with launcher / killer of it. You can have WARN in kernels all

  the time.

 

CVE-2021-3411 refers to 2 different type of bugs:

- Broken KRETPROBE (recently reported)

- Incompatibility of KPROBE optimizer with the latest changes in the linker.

 

Additionally, I've also found a bug with the kernel signal handling in dying

process:

 

CVE-2020-12826 - Linux kernel prior to 5.6.5 does not sufficiently restrict

                 exit signals

 

However, I don't remember if I found it during my work related to LKRG so I'm

not counting it here (otherwise it would be total 8 bugs while 5 of them would

have CVE).

 

That's pretty bad stats... However, it might be an interesting story to say

during LKRG announcement of the new version. It could be also interesting talk

for a conference.

 

The kretprobes and ftrace issues here are of questionable security

relevance (this functionality is not exposed for attack under most

reasonable threat models), but all of these are interesting bugs.

 

Peslyak welcomes any feedback on this release. In a recent email exchange with LinuxSecurity.com security researchers, Peslyak summarizes the main benefits that LKRG offers users, “LKRG offers best-effort protection against kernel vulnerability exploits with little effort on behalf of the user - no need to configure a policy, etc. - making it especially beneficial for systems that are not expected to be consistently kept up-to-date.”

 

You can download LKRG 0.9.0 lkrg.

 

Are you using LKRG to help secure your Linux system? Have you downloaded LKRG 0.9.0? What are your thoughts? We want to hear!

Connect with us on social media:

Twitter | Facebook