LKRG 0.9.2 has already been released and these are its news

The project Openwall recently unveiled the launch of the new version of the kernel module "LKRG 0.9.2" (Linux Kernel Runtime Guard) which is designed to detect and block attacks and violations of the integrity of kernel structures.

LKRG currently supports x86-64, x86 32-bit, AArch64 (ARM64), and ARM 32-bit
CPU architectures.

About LKRG

As mentioned the LKRG module sand is responsible for performing an integrity check in the Linux kernel runtime and detecting security vulnerabilities explodes against the kernel. For example, the module can protect against unauthorized changes to the running kernel and attempts to change the permissions of user processes (by determining the use of exploits).

The module is suitable both for organizing protection against exploits of already known vulnerabilities in the Linux kernel (for example, in situations where it is difficult to update the kernel on the system) and for countering exploits of still unknown vulnerabilities.

It should be understood that LKRG is a kernel module (not a kernel patch), so it can be compiled and loaded on a wide range of major and distribution kernels, without the need for any of them to be patched.

Currently, the module has support for kernel versions ranging from RHEL7 (and its many clones / revisions) and Ubuntu 16.04 to the latest mainline and core distributions.

Main new features of LKRG 0.9.2

In this new version that is presented, the developers mention that lCompatibility is assured with Linux kernels 5.14 to 5.16-rc, as well as with the LTS kernels 5.4.118+, 4.19.191+ and 4.14.233+.

At the time of our previous release, LKRG 0.9.1, Linux 5.12.x was the last core. We were lucky that it also worked as is on Linux 5.13.x and on 5.10.x newer long-term series cores. However, as of 5.14, as as well as for 3 older long-term kernel series listed in the changelog
Earlier, we had to make changes to support those newer kernel versions.

Regarding the changes that stand out in the new version, it is highlighted that added support for various CONFIG_SECCOMP settings, as well as support for the kernel parameter "nolkrg" to disable LKRG at boot time.

For the part of the bug fixes, it is mentioned that fixed false positive due to race condition during SECOMP_FILTER_FLAG_TSYNC processing, in addition to that the support for the CONFIG_HAVE_STATIC_CALL configuration in Linux kernels 5.10+ was also corrected (fixed race conditions when downloading other modules).

In addition, it is guaranteed that the names of the blocked modules when using the lkrg.block_modules = 1 setting are saved in the registry.

Of the other changes that stand out from this new version:

  • Implemented placement of sysctl-settings in /etc/sysctl.d/01-lkrg.conf file
  • Added dkms.conf configuration file for DKMS (Dynamic Kernel Module Support) system, which is used to create third-party modules after a kernel update.
  • Improved and updated support for debug builds and continuous integration systems.

Finally if you are interested in knowing more About the project, you should know that the project code is distributed under the GPLv2 license.

For those who are interested in being able to install this module, it is important to mention that se requires a kernel build directory corresponding to the Linux kernel image in which the module will run. For example, on Debian and Ubuntu, you can handle the required build infrastructure just by installing the linux-headers:

sudo apt-get install linux-headers-$(uname -r )

In the case of distributions, such as RHEL, Fedora or distributions based on these, (and even CentOS), the package to install is the following:

sudo yum install kernel-devel

To learn more about it as well as the compilation instructions can consult the information In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.