
Linux Kernel Runtime Guard - adrelanos
https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG
======
jws
In a nutshell: This watches critical kernel data and reports or acts on
atypical changes to normally static data.

 _Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs
runtime integrity checking of the Linux kernel and detection of security
vulnerability exploits against the kernel. As controversial as this concept
is, LKRG attempts to post-detect and hopefully promptly respond to
unauthorized modifications to the running Linux kernel (integrity checking) or
to credentials (such as user IDs) of the running processes (exploit
detection). For process credentials, LKRG attempts to detect the exploit and
take action before the kernel would grant the process access (such as open a
file) based on the unauthorized credentials._

~~~
brendangregg
Neat, but for everyone writing kernel modules: can this be a BPF program?

Looking at what LKRG does, it sounds like it can.

At my employer, asking us to add a kernel module to our BaseAMI (since this
needs to run on every instance) is a very hard sell. Asking us to add a BPF
program, which comes with security by design, is much much easier. Or put it
this way: we add zero kernel modules to our BaseAMI, but last I counted we
were at 15 BPF programs (and Facebook has over 40.)

~~~
pmccarren
Wasn't familiar with BPF programs until I saw your comment, and subsequently
went on a search trail. Really like what I've read. BPF and XDP provide so
much utility!

I thought Jessie had a good overview[0] of BPF

[0] [https://blog.jessfraz.com/post/linux-observability-with-
bpf/](https://blog.jessfraz.com/post/linux-observability-with-bpf/)

~~~
pstuart
Brendan Gregg literally wrote the book on BPF:
[http://www.brendangregg.com/bpf-performance-tools-
book.html](http://www.brendangregg.com/bpf-performance-tools-book.html)

He is an engineering god.

------
swatkat
Looks similar to PatchGuard[0] in Windows. PatchGuard simply ended the whole
rootkit mess, and rootkit vs anti-rootkit wars on Windows.

[0]
[https://en.wikipedia.org/wiki/Kernel_Patch_Protection](https://en.wikipedia.org/wiki/Kernel_Patch_Protection)

------
TrueDuality
The problem I have with this as a solution is that the environments where
custom kernel modules or kernel modifications in general are being used as a
layer of security are already largely customizing these threats out.

Disabling kernel module loading, or restricting it to signed modules shuts
down many of the vectors without using out of tree code. There are many
security switches that are generally left off in widely distributed kernels
that provide deep protection when you don't need to support everyone's project
and app.

For specific distributions like those listed this is fine, but those also
generally aren't used in higher assurance environments either.

~~~
cbsks
> There are many security switches that are generally left off in widely
> distributed kernels that provide deep protection when you don't need to
> support everyone's project and app.

Is there a place where these options are listed? Preferably with the pros/cons
of enabling each option.

~~~
inetknght
> _Is there a place where these options are listed? Preferably with the pros
> /cons of enabling each option._

Good place to start: building your own kernel from source. I tried that once
and was quite overwhelmed with the sheer number of knobs and features that are
available.

While I do still want a centralized list of things to do/check for hardening a
kernel, I don't think it will _ever_ be exhaustive. And some pros/cons would
involve very _deeply_ complex behavior which would be difficult to determine
whether or not the tradeoff is even relevant.

------
rvz
With some very business critical limitations [0]. If one was to implement
security features like LKRG and it disrupts other components in the system,
then just as it looks promising security research, then I'm afraid that we'll
have to wait for it to improve before we can use it.

[0] [https://www.openwall.com/lists/lkrg-
users/2019/11/18/1](https://www.openwall.com/lists/lkrg-users/2019/11/18/1)

~~~
CameronNemo
I don't mean to detract from your point, but if virtualbox is business
critical, I would suggest changing your business. Apart from KVM being a far
superior hypervisor, oracle licensing provisions are a noticeable liability.

[https://www.reddit.com/r/sysadmin/comments/d1ttzp/oracle_is_...](https://www.reddit.com/r/sysadmin/comments/d1ttzp/oracle_is_going_after_companies_using_virtualbox/?utm_source=amp&utm_medium=&utm_content=post_title)

~~~
Hello71
also, the vbox drivers are considered to be "crap":
[https://www.phoronix.com/scan.php?page=news_item&px=OTk5Mw](https://www.phoronix.com/scan.php?page=news_item&px=OTk5Mw)

~~~
Thaxll
The dev at Oracle must feel great to have their work labeled as "crap".

~~~
CameronNemo
As if they didn't already know. Remember -- we are not defined by the shitty
hacks we write to pay our rent.

------
Stierlitz
LKRG sounds brilliant, why not integrate such features directly into the
kernel?

~~~
perlgeek
It's currently experimental. When it matures, and if there's enough developer
power behind it, it might find its way into the mainline kernel.

