Pulogalamu ya Openwall kernel module kumasulidwa (Linux Kernel Runtime Guard), yopangidwa kuti izindikire ndikuletsa kuwukira ndi kuphwanya kukhulupirika kwa ma kernel. Mwachitsanzo, gawoli limatha kuteteza motsutsana ndi kusintha kosaloledwa kwa kernel yothamanga ndikuyesa kusintha zilolezo za njira za ogwiritsa ntchito (kuzindikira kugwiritsa ntchito zomwe zachitika). Gawoli ndiloyenera kukonzekera chitetezo kuzinthu zomwe zadziwika kale za Linux kernel (mwachitsanzo, nthawi zomwe zimakhala zovuta kusinthira kernel mu dongosolo), komanso polimbana ndi zovuta zomwe sizikudziwikabe. Project kodi zololedwa pansi pa GPLv2.
Zina mwa zosintha mu mtundu watsopano:
- Kuyika kwa pulojekiti ya LKRG kwasinthidwa, komwe sikunagawidwenso m'magawo ang'onoang'ono kuti ayang'ane kukhulupirika ndikudziwiratu momwe angagwiritsire ntchito zochitika, koma akuwonetsedwa ngati chinthu chokwanira chozindikiritsa kuukira ndi kuphwanya kukhulupirika kosiyanasiyana;
- Kugwirizana kumaperekedwa ndi maso a Linux kuyambira 5.3 mpaka 5.7, komanso maso ophatikizidwa ndi kukhathamiritsa kwamphamvu kwa GCC, popanda zosankha za CONFIG_USB ndi CONFIG_STACKTRACE kapena CONFIG_UNWINDER_ORC njira, komanso maso omwe alibe ntchito za LKRG, ngati angakwanitse. kuchotsedwa ndi;
- Pomanga, zoikamo zina zovomerezeka za CONFIG_* kernel zimawunikidwa kuti zipereke mauthenga olakwika m'malo mowonongeka kosawoneka bwino;
- Thandizo lowonjezera la standby (ACPI S3, suspend to RAM) ndi kugona (S4, suspend to disk) modes;
- Thandizo lowonjezera la DKMS ku Makefile;
- Thandizo loyesera pamapulatifomu a 32-bit ARM lakhazikitsidwa (loyesedwa pa Raspberry Pi 3 Model B). Thandizo lomwe linalipo kale la AArch64 (ARM64) lakulitsidwa kuti lipereke kuyanjana ndi bolodi la Raspberry Pi 4;
- Zowera zatsopano zawonjezedwa, kuphatikiza chothandizira () choyimbira foni kuti adziwe bwino zomwe zimasokoneza "", osati ma ID ();
- Malingaliro atsopano aperekedwa kuti azindikire zoyesayesa zothawa ziletso za malo (mwachitsanzo, kuchokera ku zotengera za Docker);
- Pamakina a x86-64, SMAP (Supervisor Mode Access Prevention) pang'ono imawunikidwa ndikugwiritsidwa ntchito, yopangidwa kuti iletse mwayi wopezeka pa data ya danga la ogwiritsa ntchito kuchokera pama code odala omwe akuyenda pamlingo wa kernel. Chitetezo cha SMEP (Supervisor Mode Execution Prevention) chinakhazikitsidwa kale;
- Panthawi yogwira ntchito, zoikamo za LKRG zimayikidwa pa tsamba lokumbukira lomwe nthawi zambiri limawerengedwa;
- Zambiri zodula mitengo zomwe zingakhale zothandiza kwambiri pakuwukira (mwachitsanzo, zambiri za ma adilesi omwe ali mu kernel) zimangokhala pakuchotsa zolakwika (log_level=4 ndi kupitilira apo), zomwe zimayimitsidwa mwachisawawa.
- Kuchuluka kwa deta yotsatirira ndondomekoyi kwawonjezeka - m'malo mwa mtengo umodzi wa RB wotetezedwa ndi spinlock imodzi, tebulo la hashi la mitengo ya 512 RB yotetezedwa ndi 512 zolembera zolembera zimagwiritsidwa ntchito;
- Njira yakhazikitsidwa ndikuyatsidwa mwachisawawa, momwe kukhulupirika kwa zozindikiritsira ndondomeko nthawi zambiri kumangoyang'aniridwa pa ntchito yomwe ilipo, komanso mwakufuna kwa ntchito zomwe zatsegulidwa (kudzuka). Kwa ntchito zina zomwe zili m'tulo kapena kugwira ntchito popanda kupeza kernel API yoyendetsedwa ndi LKRG, chekecho chimachitika kawirikawiri.
- Anawonjezera magawo atsopano a sysctl ndi ma module kuti mukonze bwino LKRG, komanso ma sysctl awiri kuti musinthe mosavuta posankha kuchokera kumagulu okonzekera bwino (mbiri) okonzedwa ndi omanga;
- Zosintha zosasinthika zasinthidwa kuti zitheke bwino pakati pa liwiro la kuzindikira zolakwa ndi mphamvu ya yankho, kumbali imodzi, ndi zotsatira za ntchito ndi chiopsezo cha zolakwika zabodza, kumbali inayo;
- Fayilo ya unit ya systemd yakonzedwanso kuti ilowetse gawo la LKRG kumayambiriro kwa boot (njira ya mzere wa kernel ingagwiritsidwe ntchito kuletsa gawoli);
Poganizira zokometsera zomwe zaperekedwa pakutulutsidwa kwatsopano, kuchepetsa magwiridwe antchito mukamagwiritsa ntchito LKRG 0.8 akuyerekezedwa ndi 2.5% mumayendedwe osakhazikika ("heavy") ndi 2% mumayendedwe opepuka ("kuwala").
Mu posachedwapa unachitikira mphamvu ya phukusi kudziwa rootkits LKRG zotsatira zabwino kwambiri, kuzindikira 8 mwa 9 oyesedwa rootkits omwe akugwira ntchito pa kernel level popanda zizindikiro zabodza (rootkits Diamorphine, Honey Pot Bears, LilyOfTheValley, Nuk3 Gh0st, Puszek, Reptile, Rootfoo Linux Rootkit ndi Sutekh adadziwika, koma Keysniffer, yomwe ndi kernel module, idaphonya ndi keylogger, osati rootkit m'lingaliro lenileni). Poyerekeza, phukusi la AIDE, OSSEC ndi Rootkit Hunter linapeza 2 mwa 9 rootkits, pamene Chkrootkit sanazindikire. Pa nthawi yomweyo, LKRG siligwirizana kudziwika rootkits ili mu danga wosuta, kotero dzuwa kwambiri zimatheka pogwiritsa ntchito osakaniza AIDE ndi LKRG, zimene zinachititsa kuzindikira 14 mwa 15 rootkits a mitundu yonse.
Kuphatikiza apo, zitha kudziwidwa kuti wopanga zogawa anayamba mapaketi opangidwa okonzeka ndi DKMS a Debian, Whonix, Qubes ndi Kicksecure, ndi phukusi la zasinthidwa kale ku mtundu wa 0.8. Maphukusi okhala ndi LKRG amapezekanso mu Chirasha и .
Kuwona umphumphu mu LKRG kumachitidwa poyerekezera ndondomeko yeniyeni ndi deta ya kernel ndi ma modules, zofunikira zina za deta ndi makonzedwe a CPU ndi ma hashes osungidwa kapena makope a malo okumbukira omwe akugwirizana nawo, mapangidwe a deta kapena zolembera. Macheke amayatsidwa nthawi ndi nthawi ndi nthawi komanso pakachitika zochitika zosiyanasiyana.
Kuzindikira zotheka kugwiritsa ntchito masuku pamutu ndi kutsekereza kuwukira ikuchitika pa siteji pamaso kernel kupereka mwayi kwa chuma (mwachitsanzo, pamaso kutsegula wapamwamba), koma ndondomeko walandira zilolezo zosaloleka (mwachitsanzo, kusintha UID). Khalidwe losaloledwa likazindikirika, njira zimakakamizika kuthetsedwa mwachisawawa, zomwe zimakwanira kuletsa zambiri.
Source: opennet.ru