OpenWall 近期开源了一个新的内核防护项目 LKRG(全称为 Linux Kernel Runtime Guard),这是一个可加载的核心模块,可用来检查 Linux 内核的运行完整性,并侦测针对该内核的攻击。
LKRG 是一个内核模块而非补丁,可用于主流的 Linux 发行版本中,主要有两大功能。一是在 Linux 系统中开发扩展功能时实施各种规定,以避免那些不被 Linux 内核支持的更改;另外一个则是侦测针对内核的攻击,例如当内核要根据未授权的凭证赋予读取权限时加以拦截。
不过,OpenWall 同时强调,LKRG 目前仍处于早期实验阶段,版本为 v0.0,不排除偶尔出现误报的情况。
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645615] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1486 | exploit_no_smap] has different 'cred' pointer [0xffff9560a5d886c0 vs 0xffff9560a5d88300] Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645653] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1486 | exploit_no_smap] has different 'real_cred' pointer [0xffff9560a5d886c0 vs 0xffff9560a5d88300] Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645685] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different UID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645704] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different EUID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645723] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different SUID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645742] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different FSUID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645761] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different GID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645780] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different EGID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645799] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different SGID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645817] [p_lkrg] <Exploit Detection> process[1486 | exploit_no_smap] has different FSGID! 1000 vs 0 Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645836] [p_lkrg] <Exploit Detection> Detected SECCOMP corruption!process[1486 | exploit_no_smap] has corrupted TIF_SECCOMP flag! [1 vs 0] Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645862] [p_lkrg] <Exploit Detection> Detected SECCOMP corruption!process[1486 | exploit_no_smap] has different SECCOMP mode! [SECCOMP_MODE_FILTER vs SECCOMP_MODE_DISABLED] Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645894] [p_lkrg] <Exploit Detection> Detected SECCOMP corruption!process[1486 | exploit_no_smap] has different SECCOMP filter pointer! [0xffff9560a4345600 vs 0x (null)] Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645925] [p_lkrg] <Exploit Detection> Trying to kill process[exploit_no_smap | 1486]! Dec 19 19:35:25 pi3-ubuntu kernel: [ 157.976342] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.