Openwall Project kernel module kuburitswa (Linux Kernel Runtime Guard), yakagadzirirwa kuona nekuvhara kurwiswa uye kutyorwa kwekuvimbika kwezvimiro zvekernel. Semuenzaniso, iyo module inogona kudzivirira kubva kune isingatenderwe shanduko kune inomhanya kernel uye kuyedza kushandura mvumo yevashandisi maitiro (kuona kushandiswa kwemaitiro). Iyo module inokodzera zvese kuronga dziviriro kubva kune yatove kuzivikanwa kushandiswa kweLinux kernel (somuenzaniso, mumamiriro ezvinhu apo zvakaoma kugadzirisa kernel muhurongwa), uye yekuverengera zvibodzwa kune izvo zvisati zvazivikanwa kusagadzikana. Project code ane rezinesi pasi peGPLv2.
Pakati pekuchinja mushanduro itsva:
- Kumisikidzwa kweprojekti yeLKRG yakashandurwa, iyo isisiri yakakamurwa kuita masisitimu akasiyana ekutarisa kutendeseka uye kuona mashandisiro ezvishandiso, asi inoratidzwa sechigadzirwa chakakwana chekuzivisa kurwiswa uye kukanganisa kwakasiyana-siyana kwekuvimbika;
- Kuenderana kunopihwa neLinux kernels kubva pa5.3 kusvika 5.7, pamwe nembeu dzakaunganidzwa nehutsinye hweGCC optimizations, pasina CONFIG_USB neCONFIG_STACKTRACE sarudzo kana neCONFIG_UNWINDER_ORC sarudzo, pamwe nembeu dzisina LKRG dzinobata mabasa, kana dzichikwanisa. kupiwa;
- Pakuvaka, mamwe anosungirwa CONFIG_* kernel marongero anotariswa kuti abudise zvine musoro mameseji ezvikanganiso pachinzvimbo chekupunzika kusiri pachena;
- Yakawedzerwa rutsigiro rwekumira (ACPI S3, kumisa ku RAM) uye kurara (S4, kumisa kune disk) modes;
- Yakawedzera DKMS rutsigiro kuMakefile;
- Tsigiro yekuyedza ye32-bit ARM mapuratifomu yaitwa (yakaedzwa paRaspberry Pi 3 Model B). Yaimbovepo AArch64 (ARM64) rutsigiro rwakawedzerwa kupa kuenderana neRaspberry Pi 4 board;
- Hoko nyowani dzakawedzerwa, kusanganisira inokwanisa () yekufona inobata kuti ione zvirinani zviitwa zvinonyengera "", kwete ma ID ();
- Pfungwa nyowani yakatsanangurwa yekuona kuedza kutiza zvirambidzo zvenzvimbo yezita (semuenzaniso, kubva kumidziyo yeDocker);
- Pa x86-64 masisitimu, iyo SMAP (Supervisor Mode Access Prevention) bhiti inotariswa uye inoshandiswa, yakagadzirirwa kuvharira kuwana kune mushandisi nzvimbo data kubva kune yakasarudzika kodhi inomhanya padanho rekernel. SMEP (Supervisor Mode Execution Prevention) kuchengetedzwa kwakaitwa kare;
- Panguva yekushanda, zvirongwa zveLKRG zvinoiswa mupeji yekuyeuka iyo inowanzoverengwa-chete;
- Ruzivo rwekutema matanda runganyanya kubatsira pakurwiswa (semuenzaniso, ruzivo rwekero mukernel) inogumira kune debugging mode (log_level=4 uye yepamusoro), iyo inovharwa nekusarudzika.
- Iyo scalability yeiyo process tracking database yakawedzera - panzvimbo yeimwe RB muti wakadzivirirwa neimwe spinlock, tafura yehashi ye512 RB miti yakadzivirirwa ne512 kuverenga-kunyora-kukiya inoshandiswa;
- Iyo modhi yakaitwa uye yakagoneswa nekusarudzika, umo kutendeseka kwemaitiro ekuzivikanwa kunowanzo tariswa chete kune iro basa razvino, uye zvakare nesarudzo yeakagadziriswa (kumuka) mabasa. Kune mamwe mabasa ari munzvimbo yekurara kana kushanda pasina kuwana kernel API inodzorwa neLKRG, cheki inoitwa zvishoma kazhinji.
- Yakawedzera sysctl mitsva uye module maparamita ekugadzirisa zvakanaka LKRG, pamwe nema sysctl maviri ekugadzirisa zviri nyore nekusarudza kubva kumaseti ezvakanaka-tuning marongero (maprofile) akagadzirirwa nevagadziri;
- Zvigadziro zvakagadziriswa zvakashandurwa kuti zviwane kuenzana kwakaenzana pakati pekukurumidza kwekuona kukanganisa uye kubudirira kwemhinduro, kune rumwe rutivi, uye kukanganisa kwekushanda uye ngozi yezvinyorwa zvenhema, kune imwe;
- Iyo systemd unit faira yakagadziridzwa kuti itakure iyo LKRG module kutanga mubhoot (kernel command line sarudzo inogona kushandiswa kudzima module);
Tichifunga nezve optimizations inotsanangurwa mukuburitswa kutsva, kuderedzwa kwekuita kana uchishandisa LKRG 0.8 inofungidzirwa pa2.5% muchimiro chekusagadzikana ("inorema") uye 2% muchiedza mode ("chiedza").
Mune imwe nguva ichangobva kuitwa kushanda kwemapakeji ekuona rootkits LKRG mhedzisiro yakanakisa, kuzivisa 8 kubva pa9 akaedzwa rootkits anoshanda pa kernel level pasina manyepo (rootkits Diamorphine, Honey Pot Bears, LilyOfTheValley, Nuk3 Gh0st, Puszek, Reptile, Rootfoo Linux Rootkit uye Sutekh vakaonekwa, asi Keysniffer, inova kernel. module, yakashaikwa nekeylogger, kwete rootkit mupfungwa chaiyo). Kuenzanisa, iyo AIDE, OSSEC uye Rootkit Hunter mapakeji yakaona 2 kubva pa9 rootkits, nepo Chkrootkit haina kuona chero. Panguva imwecheteyo, LKRG haitsigire kuonekwa kwe rootkits iri munzvimbo yevashandisi, saka kubudirira kukuru kunowanikwa pakushandisa musanganiswa weAIDE neLKRG, izvo zvakaita kuti zvikwanise kuziva 14 kubva ku15 rootkits yemarudzi ose.
Uyezve, zvinogona kucherechedzwa kuti mugadziri wekugovera akatanga akagadzirira-akagadzirwa mapakeji ane DKMS yeDebian, Whonix, Qubes uye Kicksecure, uye pasuru ye yakatogadziridzwa kune vhezheni 0.8. Mapakeji ane LKRG anowanikwawo muchiRussia ΠΈ .
Kutendeseka kutarisa muLKRG kunoitwa nekuenzanisa kodhi chaiyo uye data ye kernel uye ma modules, mamwe akakosha data dhizaini uye CPU marongero ane akachengetwa hashes kana makopi einoenderana nzvimbo yekurangarira, data data kana marejista. Cheki dzinoitwa nguva nenguva nekanguva uye pakaitika zviitiko zvakasiyana.
Kuona kushandiswa kunogona kushandiswa kwemaitiro uye kudzivirira kurwiswa kunoitwa pachikuva kernel isati yapa mukana wekuwana zviwanikwa (somuenzaniso, usati wavhura faira), asi mushure mekunge maitiro awana mvumo isina mvumo (semuenzaniso, kuchinja UID). Kana maitiro asina kutenderwa akaonekwa, maitiro anomanikidzwa kugumiswa nekusarudzika, izvo zvinokwana kuvharira maitiro mazhinji.
Source: opennet.ru