Iphrojekthi ye-Openwall ukukhishwa kwemojula ye-kernel (I-Linux Kernel Runtime Guard), eklanyelwe ukuthola futhi ivimbe ukuhlaselwa kanye nokwephulwa kobuqotho bezakhiwo ze-kernel. Isibonelo, imojuli ingavikela ezinguqukweni ezingagunyaziwe ku-kernel esebenzayo futhi izame ukushintsha izimvume zezinqubo zomsebenzisi (ukuthola ukusetshenziswa kokuxhashazwa). Imojula ifanele kokubili ukuhlela ukuvikela ezenzweni ezaziwayo kakade ze-Linux kernel (isibonelo, ezimeni lapho kunzima khona ukubuyekeza i-kernel ohlelweni), kanye nokubala ukuxhashazwa ngobungozi obungaziwa okwamanje. Ikhodi yephrojekthi ilayisensi ngaphansi kwe-GPLv2.
Phakathi kwezinguquko zenguqulo entsha:
- Ukuma kwephrojekthi ye-LKRG kushintshiwe, engasahlukaniswa yaba amasistimu angaphansi ahlukene ukuze kuhlolwe ubuqotho nokunquma ukusetshenziswa kokuxhashazwa, kodwa kwethulwe njengomkhiqizo ophelele wokuhlonza ukuhlaselwa kanye nokwephulwa kobuqotho okuhlukahlukene;
- Ukuhambisana kunikezwa ngezinhlamvu ze-Linux kusuka ku-5.3 kuye ku-5.7, kanye nezikhwebu ezihlanganiswe nokuthuthukiswa kwe-GCC okunolaka, ngaphandle kwezinketho ze-CONFIG_USB kanye ne-CONFIG_STACKTRACE noma ngenketho ye-CONFIG_UNWINDER_ORC, kanye nezikhwebu ezingenayo imisebenzi ye-LKRG kukhishwe;
- Lapho wakha, ezinye izilungiselelo ezidingekayo ze-CONFIG_* kernel ziyahlolwa ukuze kukhiqizwe imilayezo yephutha enengqondo esikhundleni sokuphahlazeka okungacacile;
- Ukwesekwa okungeziwe kokubekwe eceleni (ACPI S3, kumiswa ku-RAM) kanye nezindlela zokulala (S4, kumiswa kudiski);
- Kwengezwe ukwesekwa kwe-DKMS ku-Makefile;
- Usekelo lokuhlola lwezingxenyekazi ze-32-bit ARM selusetshenzisiwe (luhlolwe ku-Raspberry Pi 3 Model B). Usekelo olwalutholakala ngaphambilini lwe-AArch64 (ARM64) lunwetshiwe ukuze lunikeze ukuhambisana nebhodi le-Raspberry Pi 4;
- Kwengezwe izingwegwe ezintsha, okuhlanganisa isibambi sezingcingo esikwaziyo() ukuhlonza kangcono izinto ezikhohlisayo "", hhayi ukucubungula ama-ID ();
- Ingqondo entsha iphakanyiswe ukuze kutholwe imizamo yokubalekela imikhawulo yendawo yamagama (isibonelo, ezitsheni ze-Docker);
- Kuzinhlelo ze-x86-64, i-SMAP (Ukuvimbela Ukufinyelela Kwemodi Yomphathi) iyahlolwa futhi isetshenziswe, idizayinelwe ukuvimba ukufinyelela kudatha yesikhala somsebenzisi kusuka kukhodi eyinhlanhla esebenza kuleveli ye-kernel. Ukuvikelwa kwe-SMEP (Ukuvikela Imodi Yomphathi) kwaqaliswa ngaphambilini;
- Ngesikhathi sokusebenza, izilungiselelo ze-LKRG zifakwa ekhasini lememori elivame ukufundwa kuphela;
- Ulwazi lokungena olungase lube usizo kakhulu ekuhlaselweni (isibonelo, ulwazi olumayelana namakheli ku-kernel) lukhawulelwe kumodi yokulungisa iphutha (log_level=4 nangaphezulu), evinjwa ngokuzenzakalelayo.
- Ukukhula kwesizindalwazi sokulandela inqubo kunyusiwe - esikhundleni sesihlahla esisodwa se-RB esivikelwe i-spinlock eyodwa, kusetshenziswa ithebula le-hashi lezihlahla ezingama-512 RB elivikelwe izingidi zokufunda ezibhalwayo ezingama-512;
- Imodi isetshenziswe futhi yanikwa amandla ngokuzenzakalela, lapho ubuqotho bezihlonzi zenqubo ngokuvamile bubhekwa kuphela ngomsebenzi wamanje, futhi ngokuzikhethela ngemisebenzi eyenziwe yasebenza (yokuvuka). Kweminye imisebenzi esesimweni sokulala noma esebenza ngaphandle kokufinyelela i-kernel API elawulwa yi-LKRG, ukuhlola kwenziwa kancane.
- Kwengezwe amapharamitha e-sysctl namamojula amasha wokulungisa kahle i-LKRG, kanye nama-sysctl amabili ukuze acushwe lula ngokukhetha kumasethi ezilungiselelo zokulungisa kahle (amaphrofayili) alungiselelwe abathuthukisi;
- Izilungiselelo ezizenzakalelayo zishintshiwe ukuze kutholwe ibhalansi elinganiselayo phakathi kwejubane lokutholwa kokwephulwa nokusebenza kwempendulo, ngakolunye uhlangothi, kanye nomthelela ekusebenzeni kanye nobungozi bezinto ezingezona iqiniso, ngakolunye;
- Ifayela leyunithi ye-systemd liklanywe kabusha ukuze lilayishe imojula ye-LKRG kusenesikhathi ekuqaleni (inketho yomugqa womyalo we-kernel ingasetshenziswa ukukhubaza imojuli);
Ngokucabangela ukulungiselelwa okuhlongozwayo ekukhishweni okusha, ukuncishiswa kokusebenza uma usebenzisa i-LKRG 0.8 kulinganiselwa ku-2.5% kumodi yokuzenzakalelayo (“esindayo”) kanye no-2% kumodi yokukhanya (“ukukhanya”).
Emcimbini osanda kwenziwa ukusebenza kwamaphakheji okuthola i-rootkits LKRG imiphumela engcono kakhulu, ehlonza ama-rootkits angu-8 kwangu-9 ahloliwe asebenza ezingeni le-kernel ngaphandle kwezimpawu ezingamanga (rootkits Diamorphine, Honey Pot Bears, LilyOfTheValley, Nuk3 Gh0st, Puszek, Reptile, Rootfoo Linux Rootkit kanye ne-Sutekh zihlonziwe, kodwa u-Keysniffer, oyinhlamvu. imojula, igejiwe nge-keylogger, hhayi i-rootkit ngomqondo ongokoqobo). Ukuze uqhathanise, amaphakheji e-AIDE, OSSEC kanye ne-Rootkit Hunter athole ama-rootkits angu-2 kwangu-9, kuyilapho i-Chkrootkit ingazange ibone noma iyiphi. Ngesikhathi esifanayo, i-LKRG ayisekeli ukutholwa kwama-rootkits atholakala endaweni yomsebenzisi, ngakho-ke ukusebenza kahle okukhulu kufinyelelwa uma kusetshenziswa inhlanganisela ye-AIDE ne-LKRG, okwenze kwaba nokwenzeka ukuhlonza ama-rootkits angu-14 kwangu-15 azo zonke izinhlobo.
Ukwengeza, kungaphawulwa ukuthi unjiniyela wokusabalalisa kwaqala amaphakheji enziwe ngomumo nge-DKMS ye-Debian, Whonix, Qubes kanye ne-Kicksecure, kanye nephakheji le isivele ibuyekezwe kunguqulo engu-0.8. Amaphakheji ane-LKRG ayatholakala ngesiRashiya и .
Ukuhlola ubuqotho ku-LKRG kwenziwa ngokuqhathanisa ikhodi yangempela kanye nedatha ye-kernel namamojula, ezinye izakhiwo zedatha ezibalulekile kanye nezilungiselelo ze-CPU nama-hashes agciniwe noma amakhophi ezindawo zememori ezihambisanayo, izakhiwo zedatha noma amarejista. Amasheke enziwa asebenze kokubili ngezikhathi ezithile ngesibali-sikhathi kanye nokuvela kwemicimbi eyahlukene.
Ukunquma ukusetshenziswa okungenzeka kokuxhashazwa nokuvimbela ukuhlasela kwenziwa esiteji ngaphambi kokuba i-kernel inikeze ukufinyelela kwezinsiza (isibonelo, ngaphambi kokuvula ifayela), kodwa ngemva kokuba inqubo ithole izimvume ezingagunyaziwe (isibonelo, ukushintsha i-UID). Uma kutholwa ukuziphatha okungagunyaziwe, izinqubo ziphoqeleka ukuba ziqedwe ngokuzenzakalela, okwanele ukuvimba ukuxhaphaza okuningi.
Source: opennet.ru