Ọrụ Openwall ewepụtala modulu kernel LKRG 1.0.0 (Linux E mere Kernel Runtime Guard (Kernel Runtime Guard) iji chọpụta iguzosi ike n'ezi ihe nke usoro kernel ma chọpụta mgbalị iji ihe ndị na-adịghị ike na kernel mee ihe. Mwepụta nke ụdị 1.0.0 na-egosi ntozu okè nke ọrụ ahụ. A na-ekesa koodu ọrụ ahụ n'okpuru ikike GPLv2.
Modulu ahụ dabara adaba maka ha abụọ nchebe site na mwakpo, na-achịkwa adịghị ike ndị a maara na kernel Linux, iji lụso ọgụ megide ihe ndị na-emebi ihe ndị a na-amaghị na mbụ, belụsọ ma ha jiri usoro pụrụ iche gafee LKRG. Nchedo dabere na ịchọpụta mgbanwe na-enweghị ikike na kernel na-agba ọsọ (nyocha iguzosi ike n'ezi ihe) na nlekota mgbanwe na ikike usoro onye ọrụ (nchọpụta ihe).
A na-eme nlele iguzosi ike n'ezi ihe dabere na ntụnyere nke hashes gbakọrọ maka akụkụ kachasị mkpa nke ebe nchekwa na ihe nhazi data kernel, dị ka IDT (Nkọwapụta Descriptor), MSR, tebụl oku usoro, usoro na ọrụ niile, nkwụsịtụ njikwa, ndepụta nke modul ebu, ọdịnaya nke ngalaba ".text" nke modul na njirimara usoro. A na-eme usoro nlele ahụ kwa oge site na ngụ oge ma ọ bụ mgbe ụfọdụ ihe na-eme na kernel, dịka ọmụmaatụ, mgbe ị na-eme setuid, setreuid, ndụdụ, ọpụpụ, execve na do_init_module oku usoro.
A na-eme nchọpụta nke nrụrụ aka na igbochi mwakpo na ogbo tupu kernel enye ohere ịnweta akụrụngwa (dịka ọmụmaatụ, tupu imepe faịlụ), mana mgbe usoro ahụ enwetachara ikike na-enweghị ikike (dịka ọmụmaatụ, ịgbanwe UID). Mgbe achọpụtara omume na-enweghị ikike nke usoro, a na-akwụsị ha n'ike, nke zuru ezu iji gbochie ọtụtụ nrigbu. A na-eme atụmatụ ọnụ ahịa modul ahụ na 2-2.5%.
Usoro nhazi ndị a na-akwado gụnyere x86-64, AArch64 (ARM64), ARM32, na x86. A nwalela LKRG 1.0.0 site na kernel sitere na nkesa dị iche iche, malite na kernel 3.10 sitere na RHEL.CentOS 7 wee mechie na 6.17-rc4 site na ebe nchekwa ebe a na-akwado Fedora 44 maka ntọhapụ. Ngwugwu dị maka nkesa ALT. Linux, Arch Linux, Astra Linux, Gentoo, Guix, NixOS, Rocky Linux, Whonix, Yocto na OpenBMC. Anakọtara maka Rocky Linux Enwere ike iji ngwugwu na RHEL 8/9 na nkesa ndị sitere na ya dịka AlmaLinux 8/9, na ngwugwu maka Whonix na Debian и Ubuntu.
N'ime mgbanwe ndị dị na ụdị ọhụrụ:
- A na-ahụ na ndakọrịta na kernels dị Linux ruo na ntọhapụ 6.17-rc4.
- Mgbe ejiri ya na kernel kemgbe 6.13, nkwụsị nke oku dịpụrụ adịpụ na override_creds() na revert_creds() akwụsịla, nke kpachiri nchọpụta nke mwakpo na-akọwapụta akara ngosi cred. Emeela mgbalị iji kwụọ ụgwọ maka njedebe ndị ahụ site n'ịgbakwunye akwụkwọ ndenye ego maka idegharị ihe nrịbama cred n'ebe ọzọ na kernel.
- Akwụsịla nlebanya oke nke nzere na-enyochaghị iguzosi ike n'ezi ihe. Mgbanwe ahụ belatara ntọala koodu site na ahịrị 1500.
- Agbakwunyere nkwado maka ihe pụtara na kernel Linux Usoro 6.10 maka ịmepụta faịlụ nwa oge na sistemụ faịlụ OverlayFS site na iji nhọrọ O_TMPFILE (ovl_tmpfile). Nkwado a dị mkpa iji gbochie ihe ọjọọ na-eme mgbe ejiri akpa ndị dịpụrụ adịpụ na sistemụ nwere kernel 6.10-6.12.
- Maka sistemu x86_64, agbakwunyela nkwado maka Intel CET (Njikwa-flow Enforcement Technology) iji kpuchido koodu executable site na iji ntuziaka IBT (nsọpụrụ alaka na-apụtaghị ìhè), yana kCFI (kernel Control Flow Integrity) sọftụwia nchebe iji gbochie mmebi nke usoro mmezu nke nkịtị (usoro njikwa) n'ihi iji nrigbu na-agbanwe ndị na-egosi ọrụ echekwara na ebe nchekwa.
- Iji jikọọ ọtụtụ njikwa, kama kretprobes, a na-eji usoro kprobes, nke na-eme ka koodu ntinye nko dị mfe ma na-enye ohere ịrụ ọrụ dị elu.
- Ejikwa usoro mkpọchi data akọwapụtara (mkpọchi) na kernel (data onyinyo ọrụ ọ bụla) arụgharịrị ọrụ. Site na ikpochapụ mkpọchi na-enweghị isi, ọ ga-ekwe omume ịbawanye arụmọrụ nke ịnweta data dị otú ahụ.
- Nchinchi edoziziri nke butere ọnọdụ agbụrụ, nsogbu nlele iguzosi ike n'ezi ihe, yana ihe adịgboroja.
- Nkwado emelitere maka iji Clang wuo ụlọ.
isi: opennet.ru
