LKRG - HackMD

# LKRG [連結](https://openwall.info/wiki/p_lkrg/Main#What-is-LKRG) #### LKRG - open source project - 有商業版的LKRG Pro，可以量身訂製給對應的operating system #### What is LKRG? - 保護 kernel region/sections/structures , 透過比較kernel region 計算出的hashes值和原本hashes database - 為了充分發揮LKRG的功能，最好在剛裝好operating system後，就載入LKRG module ，才能有值得信賴的database of hashes * 目的(two main ideas) * 避免非預期修改linux kernel , 如果要開發新的functionalities of linux operating system必須要遵守==規則== * ==規則==是official Linux API，可以確保有功能，而不是沒有支援的patching， * LKRG 不是一個最好的project，他是可以被繞過的，這個弱點是已知的，但好好使用還是可以增加安全性。 * ![](https://i.imgur.com/yTk5AUK.png) * 實做出Exploit Detection feature 可以detect kernel exploitation process ## Guarded regions * Critical CPU/core data * 從穩定和安全的角度來看，這個部份很危險，每個CPU的每個core都是被分開保護的，functionality 運作和檢查hashes 都是跑在各自獨立的core，確保資料沒有被改變 * LKRG keep information about: * How many (V)CPUs/cores are available in the system * How many online (V)CPUs/cores are available in the system * How many offline (V)CPUs/cores are available in the system * How many possible (V)CPUs/cores might be in total available in the system * Entire Linux Kernel .text section * This covers almost entire Linux kernel itself, like syscall tables, all procedures, all function, all IRQ handlers, etc. * Exceptions * Read only section * IOMMU * Modules * base on module link list ``` 1.Struct module pointer (a.k.a. THIS_MODULE) 2.Name 3.Pointer to the module_core 4.Size of the .text section 5.Hash from the entire .text section for that module ``` * based on the KOBJs ``` 1.Struct module pointer (a.k.a. THIS_MODULE) 2.Pointer to the ‘module_kobject’ structure 3.Entire KOBJ structure (except from list_head and kref information) 4.Name 5.Pointer to the module_core 6.Size of the .text section 7.Hash from the entire .text section for that module ``` ``` 1.Number of entries in module list 2.Number of KOBJs in specific KSET 3.Specific order of linked list in module list 4.Specific order in KSET for KOBJs ``` ### TODO ``` - Hash from the internal database - Hash from LKRG itself - APIC / Local APIC - MADT / FADT / RSDT / ACPI - Call gates - Integrity of processes - Check if callbacks / notification routines point to the modules which we know and are tracking down - Data integrity for critical structures like: - proc_root - Critical files (like /etc/shadow, /etc/passwd, etc.) - TTY hooks. ``` --- ### Threat model * Attacking kernel from the boot-chain(eg.attacks from MBR/BIOS/UEFI,initramfs,etc) * 目前這種攻擊不是第一優先來防範的 * Attacking kernel via kernel vulnerabilities * 部份保護 * Persistence of the attack e.g. kernel backdoors * LKRG主要在保護這部份 ### LKRG experimental branch * Attacking user-mode client * Protected Logs