LKRG 0.1 : pi3 blog



by pi3

LKRG 0.1 was just released:

The change log is as follows:

  • Support RHEL 7.4 kernels
  • Make new compiler happy (gcc 7.3+)
  • Improve Makefile
  • Improve Exploit Detection performance and hardened ‘off’ flag
  • Add support for kernel 4.15
  • Move SELinux integrity check to the workqueue
  • Fix how *_JUMP_LABEL is handled when 0xCC byte is injected

My main priorities for the release are:

  • There is a very nasty corner case in the memory when *_JUMP_LABEL is in the middle of the instruction modification. Instruction can be only half-baked modified and during this phase integrity verification might fail (False-Positive). I will work to address this weird state of the *_JUMP_LABEL and fix it.
  • Add new sysctl option to the communication channel which allows administrator to disable “randomness” of when kernel integrity functionality is fired. Currently, kernel integrity is enforced to be fired by the timer and at a random event in the system. The details can be found here:

    If an administrator wants to reduce performance impact which LKRG may introduce, he would be able to completely disable “random event” kernel-integrity enforcement. Obviously, this will have an impact on the security promises.

  • Linux kernel may inject a usermode helper thread into the workqueue which will execute user-mode binary (kernel injects a routine into the kernel thread which executes user-mode binary). In a very specific corner case it might introduce False Positives in the Exploit-Detection module. I will try to research this problem and fix it in the next release.

Best regards,


Leave a Reply

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.