lkrg/CHANGES

The following changes have been made between LKRG 0.7 and 0.8:

*) Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other
   changes in JUMP_LABEL), 5.7+ (unexported kallsyms_lookup_name symbol)
*) Add experimental support for 32-bit ARM, tested on Raspberry Pi 3 Model B
*) Add experimental support for Raspberry Pi 4, tested on board revision c03112
   (we had already included general support for AArch64 (ARM64) in LKRG 0.7)
*) Redesign LKRG's presentation of its feature set to the user (sysadmin), no
   longer presenting it as having separate Code Integrity and Exploit Detection
   components, but instead LKRG as a whole working to detect various integrity
   violations (not only of code, and possibly caused by exploits) and attacks
*) Introduce many separate knobs (each available as a sysctl and a module
   parameter) for fine-grained tuning of LKRG's detection of violations and
   attacks (validation), as well as its response to those (enforcement)
*) Introduce the notion of LKRG validation and enforcement profiles, which are
   pre-defined sets of recommended values of the fine-grained tuning knobs.
   These profiles may be quickly activated via the lkrg.profile_validate and
   lkrg.profile_enforce sysctl settings.
*) Change the defaults to achieve a better balance between the likelihood of
   timely detection of violations and attacks and effective response to those
   vs. performance impact and risk of false positives.  Most notable for the
   user (sysadmin) is that we consider LKRG mature enough to respond to kernel
   integrity violations by triggering a kernel panic (as there's no other
   effective response), which is now the default, but we recommend initially
   testing new installs of LKRG with that action temporarily disabled in order
   to safely detect potential system-specific false positives and only proceed
   with installation if there are none.
*) Rework the optional systemd unit file so that LKRG is loaded at an earlier
   stage of system bootup, but can be disabled via the kernel command-line.
*) Rework the documentation, including to reflect the above changes.  The
   INSTALL file has been replaced by README, which is now much more extensive.
   The CONCEPTS file has been added (using content from the LKRG homepage).


The following changes have been made between LKRG 0.6 and 0.7:

*) Refactor LKRG code to support multiple CPU architectures
*) Add experimental support for ARM64
*) Add experimental support for grsecurity kernels (with some limitations)
*) Add support for kernels 5.1 and 5.2 (and hopefully beyond)
*) Add support for kernels without enabled CONFIG_DYNAMIC_DEBUG
*) Add support for kernels without enabled CONFIG_ACPI
*) Add support for kernels without enabled CONFIG_STACKTRACE
*) Add support for kernels with enabled CONFIG_STATIC_USERMODEHELPER
*) [CI] Fix race condition with *_JUMP_LABEL engine resulting in potential
   deadlock when LKRG is initialized in parallel with other heavy kernel module
   (un)loading events
*) [CI] Re-enable self-hashing
*) [ED] Change the logic how LKRG tracks a newly created task in the system
*) [ED] Rewrite internal logic how LKRG synchronizes with the task's resources
*) [ED] Filter our kernel threads and system-init process when validation is
   performed bypassing threads iteration
*) [ED] Disable IRQ in most cases when LKRG's PIDs database lock is taken.
   Otherwise, we could have potential race and deadlock with kprobe engine
   itself, and SoftIRQs could deadlock with LKRG's pCFI.
*) [ED] Fix potential FP during LKRG unloading procedure and add memory barrier
*) [ED] Fix logic for *init_module/delete_module for kernels with
   CONFIG_ARCH_HAS_SYSCALL_WRAPPER
*) [ED] Fix FP (race condition) in pCFI in glitching scenario during process
   update, and add memory barrier
*) [ED] Fix potential glitch in pCFI
*) [ED] Add support for OverlayFS (which is commonly used by Docker)
*) [ED] Whitelist Ubuntu Apport (thanks to Pawel Krawczyk)
*) [ED] Enforce stack pointer validation on lookup_fast function
*) [ED] Add SMEP/WP bit verification (and re-enforcement) in more places
*) [ED] Refactor some of the logic to be compatible with x86 lacking SMEP
*) [ED] Add new sysctl lkrg.smep_panic (only on x86, enabled by default)
*) [ED] Add new sysctl lkrg.umh_lock (disabled by default)
*) Update INSTALL to document the new sysctl's and the previously undocumented
   lkrg.hide sysctl
*) Minor change of initialization logic
*) Add potential debug compilation option to Makefile
*) Mute the most noisy STRONG_DEBUG output by default
*) Don't export global CFLAGS since it might be incompatible when LKRG is part
   of a bigger project's build
*) Restore terminal colors when systemd service installation fails


The following changes have been made between LKRG 0.5 and 0.6:

*) [CI] Protect SMEP bit in CR4 and WP bit in CR0 on x86 architecture
*) [CI] Reimplement *_JUMP_LABEL support: simpler and needs a lot less memory
*) [CI] Propagate errors when kzalloc() fails
*) [ED] Introduce pCFI mitigation (poor man's Control Flow Integrity) against
   unintended invocation of a few kernel functions especially useful in
   exploits
*) [ED] Lock down the usermodehelper interface with a whitelist of programs
*) [ED] Fix false positive on seccomp(SECCOMP_SET_MODE_FILTER,
   SECCOMP_FILTER_FLAG_TSYNC, ...) failing, where we must revert all threads'
   settings but did not (we do now)
*) [ED] Freeze all user mode processes during Exploit Detection initialization
   to avoid false positives
*) [ED] Minor change in how SIGKILL is delivered to the corrupted task
*) Fix build error on Linux 4.17+ without CONFIG_ARCH_HAS_SYSCALL_WRAPPER
*) Add LKRG early boot systemd unit file.  (Similar optional functionality for
   other init systems may be added later.  Contributions are welcome.)
*) Add install/uninstall make targets, which deploy/remove the systemd service


The following changes have been made between LKRG 0.4 and 0.5:

*) [CI] Add *_JUMP_LABEL support for kernel modules (a major change)
*) [CI] Add support for "cold" function versions generated by new GCC -
   necessary to correctly handle *_JUMP_LABEL
*) [CI] Change output message format when *_JUMP_LABEL was detected for kernel
   module's .text section
*) [CI] Add new sysctl interface - optional panic() on CI verification failure
*) [ED] Hook generic_permission() instead of may_open()
*) [ED] Hook and correctly handle override_creds() / revert_creds()
*) Add Mikhail Klementev's patches for Makefile, .gitignore and missing include


The following changes have been made between LKRG 0.3 and 0.4:

*) [ED] Fix a potential kretprobe glitch that could happen in a very rare
corner case on heavily loaded SMP machines (resulting in a false positive)
*) [ED] Change some of the printed messages for log_level=4
*) [ED] Add support for 4.17+ kernels. This is a pretty big change addressing:
      a) New logic of how syscall stubs are created; CONFIG_X32_X86 and
         CONFIG_COMPAT now have separate stubs
      b) SELinux variables are now accumulated in one structure


The following changes have been made between LKRG 0.2 and 0.3:

*) [ED] Fix false positive caused via potential race condition when child
   process might be faster than mother returning from the fork()
*) [ED] Change the logic and loglevel for message printed when racy situation
   at fork() appears
*) [CI] Change assigned probabilities when integrity routine will be fired


The following changes have been made between LKRG 0.1 and 0.2:

*) Add support for being loaded at early boot stage (e.g. from initramfs)
*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks
   on random events (or only at regular intervals)
*) Reduce performance impact, e.g. in our specific test case:
   -> Average cost of running a fully enabled LKRG => 2.5%
   -> Average cost of running LKRG without the code integrity checks on
      random events (disabled with the new sysctl) => 0.7%
*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,
   which might sleep if CONFIG_PREEMPT_VOLUNTARY=y
*) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE
*) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios
*) [ED] Remove false positives when kernel executes usermode helper binaries


The following changes have been made between LKRG 0.0 and 0.1:

*) Support RHEL 7.4 kernels
*) Make new compiler happy (gcc 7.3+)
*) Improve Makefile
*) Improve Exploit Detection performance and hardened 'off' flag
*) Add support for kernel 4.15
*) Use GPLv2 LICENSE
*) Add INSTALL, CHANGELOG and PATREONS file
*) Move SELinux integrity check to the workqueue
*) Fix how *_JUMP_LABEL is handled when 0xCC byte is injected


Legend:
[CI] - Code Integrity
[ED] - Exploit Detection
Update CHANGES file 2020-06-25 16:43:05 +02:00			`The following changes have been made between LKRG 0.7 and 0.8:`

			`*) Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other`
			`changes in JUMP_LABEL), 5.7+ (unexported kallsyms_lookup_name symbol)`
			`*) Add experimental support for 32-bit ARM, tested on Raspberry Pi 3 Model B`
			`*) Add experimental support for Raspberry Pi 4, tested on board revision c03112`
			`(we had already included general support for AArch64 (ARM64) in LKRG 0.7)`
			`*) Redesign LKRG's presentation of its feature set to the user (sysadmin), no`
			`longer presenting it as having separate Code Integrity and Exploit Detection`
			`components, but instead LKRG as a whole working to detect various integrity`
			`violations (not only of code, and possibly caused by exploits) and attacks`
			`*) Introduce many separate knobs (each available as a sysctl and a module`
			`parameter) for fine-grained tuning of LKRG's detection of violations and`
			`attacks (validation), as well as its response to those (enforcement)`
			`*) Introduce the notion of LKRG validation and enforcement profiles, which are`
			`pre-defined sets of recommended values of the fine-grained tuning knobs.`
			`These profiles may be quickly activated via the lkrg.profile_validate and`
			`lkrg.profile_enforce sysctl settings.`
			`*) Change the defaults to achieve a better balance between the likelihood of`
			`timely detection of violations and attacks and effective response to those`
			`vs. performance impact and risk of false positives. Most notable for the`
			`user (sysadmin) is that we consider LKRG mature enough to respond to kernel`
			`integrity violations by triggering a kernel panic (as there's no other`
			`effective response), which is now the default, but we recommend initially`
			`testing new installs of LKRG with that action temporarily disabled in order`
			`to safely detect potential system-specific false positives and only proceed`
			`with installation if there are none.`
			`*) Rework the optional systemd unit file so that LKRG is loaded at an earlier`
			`stage of system bootup, but can be disabled via the kernel command-line.`
			`*) Rework the documentation, including to reflect the above changes. The`
			`INSTALL file has been replaced by README, which is now much more extensive.`
			`The CONCEPTS file has been added (using content from the LKRG homepage).`


Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`The following changes have been made between LKRG 0.6 and 0.7:`

			`*) Refactor LKRG code to support multiple CPU architectures`
			`*) Add experimental support for ARM64`
			`*) Add experimental support for grsecurity kernels (with some limitations)`
			`*) Add support for kernels 5.1 and 5.2 (and hopefully beyond)`
			`*) Add support for kernels without enabled CONFIG_DYNAMIC_DEBUG`
			`*) Add support for kernels without enabled CONFIG_ACPI`
			`*) Add support for kernels without enabled CONFIG_STACKTRACE`
			`*) Add support for kernels with enabled CONFIG_STATIC_USERMODEHELPER`
			`) [CI] Fix race condition with _JUMP_LABEL engine resulting in potential`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`deadlock when LKRG is initialized in parallel with other heavy kernel module`
			`(un)loading events`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) [CI] Re-enable self-hashing`
			`*) [ED] Change the logic how LKRG tracks a newly created task in the system`
			`*) [ED] Rewrite internal logic how LKRG synchronizes with the task's resources`
			`*) [ED] Filter our kernel threads and system-init process when validation is`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`performed bypassing threads iteration`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) [ED] Disable IRQ in most cases when LKRG's PIDs database lock is taken.`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`Otherwise, we could have potential race and deadlock with kprobe engine`
			`itself, and SoftIRQs could deadlock with LKRG's pCFI.`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) [ED] Fix potential FP during LKRG unloading procedure and add memory barrier`
			`) [ED] Fix logic for init_module/delete_module for kernels with`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`CONFIG_ARCH_HAS_SYSCALL_WRAPPER`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) [ED] Fix FP (race condition) in pCFI in glitching scenario during process`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`update, and add memory barrier`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) [ED] Fix potential glitch in pCFI`
			`*) [ED] Add support for OverlayFS (which is commonly used by Docker)`
			`*) [ED] Whitelist Ubuntu Apport (thanks to Pawel Krawczyk)`
			`*) [ED] Enforce stack pointer validation on lookup_fast function`
			`*) [ED] Add SMEP/WP bit verification (and re-enforcement) in more places`
			`*) [ED] Refactor some of the logic to be compatible with x86 lacking SMEP`
			`*) [ED] Add new sysctl lkrg.smep_panic (only on x86, enabled by default)`
			`*) [ED] Add new sysctl lkrg.umh_lock (disabled by default)`
			`*) Update INSTALL to document the new sysctl's and the previously undocumented`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`lkrg.hide sysctl`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) Minor change of initialization logic`
			`*) Add potential debug compilation option to Makefile`
			`*) Mute the most noisy STRONG_DEBUG output by default`
			`*) Don't export global CFLAGS since it might be incompatible when LKRG is part`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`of a bigger project's build`
Update CHANGES and INSTALL file 2019-07-20 23:33:07 +02:00			`*) Restore terminal colors when systemd service installation fails`


Thanks to Alexander: [1] Update CHANGES and INSTALL file. [2] Fix typos. [3] Fix script exit code [4] Other minor changes 2019-02-19 19:27:25 +01:00			`The following changes have been made between LKRG 0.5 and 0.6:`

			`*) [CI] Protect SMEP bit in CR4 and WP bit in CR0 on x86 architecture`
			`) [CI] Reimplement _JUMP_LABEL support: simpler and needs a lot less memory`
			`*) [CI] Propagate errors when kzalloc() fails`
			`*) [ED] Introduce pCFI mitigation (poor man's Control Flow Integrity) against`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`unintended invocation of a few kernel functions especially useful in`
			`exploits`
Thanks to Alexander: [1] Update CHANGES and INSTALL file. [2] Fix typos. [3] Fix script exit code [4] Other minor changes 2019-02-19 19:27:25 +01:00			`*) [ED] Lock down the usermodehelper interface with a whitelist of programs`
			`*) [ED] Fix false positive on seccomp(SECCOMP_SET_MODE_FILTER,`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`SECCOMP_FILTER_FLAG_TSYNC, ...) failing, where we must revert all threads'`
			`settings but did not (we do now)`
Thanks to Alexander: [1] Update CHANGES and INSTALL file. [2] Fix typos. [3] Fix script exit code [4] Other minor changes 2019-02-19 19:27:25 +01:00			`*) [ED] Freeze all user mode processes during Exploit Detection initialization`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`to avoid false positives`
Thanks to Alexander: [1] Update CHANGES and INSTALL file. [2] Fix typos. [3] Fix script exit code [4] Other minor changes 2019-02-19 19:27:25 +01:00			`*) [ED] Minor change in how SIGKILL is delivered to the corrupted task`
			`*) Fix build error on Linux 4.17+ without CONFIG_ARCH_HAS_SYSCALL_WRAPPER`
			`*) Add LKRG early boot systemd unit file. (Similar optional functionality for`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`other init systems may be added later. Contributions are welcome.)`
Thanks to Alexander: [1] Update CHANGES and INSTALL file. [2] Fix typos. [3] Fix script exit code [4] Other minor changes 2019-02-19 19:27:25 +01:00			`*) Add install/uninstall make targets, which deploy/remove the systemd service`


Update CHANGES / INSTALL. 2018-11-10 22:11:52 +01:00			`The following changes have been made between LKRG 0.4 and 0.5:`

			`) [CI] Add _JUMP_LABEL support for kernel modules (a major change)`
			`*) [CI] Add support for "cold" function versions generated by new GCC -`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`necessary to correctly handle *_JUMP_LABEL`
Update CHANGES / INSTALL. 2018-11-10 22:11:52 +01:00			`) [CI] Change output message format when _JUMP_LABEL was detected for kernel`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`module's .text section`
Update CHANGES / INSTALL. 2018-11-10 22:11:52 +01:00			`*) [CI] Add new sysctl interface - optional panic() on CI verification failure`
			`*) [ED] Hook generic_permission() instead of may_open()`
			`*) [ED] Hook and correctly handle override_creds() / revert_creds()`
			`*) Add Mikhail Klementev's patches for Makefile, .gitignore and missing include`


[1] Update CHANGES / INSTALL. [2] Fix comment regarding potential glitch. 2018-08-30 17:57:54 +02:00			`The following changes have been made between LKRG 0.3 and 0.4:`

			`*) [ED] Fix a potential kretprobe glitch that could happen in a very rare`
			`corner case on heavily loaded SMP machines (resulting in a false positive)`
			`*) [ED] Change some of the printed messages for log_level=4`
			`*) [ED] Add support for 4.17+ kernels. This is a pretty big change addressing:`
			`a) New logic of how syscall stubs are created; CONFIG_X32_X86 and`
Update CHANGES file 2020-06-25 16:43:05 +02:00			`CONFIG_COMPAT now have separate stubs`
[1] Update CHANGES / INSTALL. [2] Fix comment regarding potential glitch. 2018-08-30 17:57:54 +02:00			`b) SELinux variables are now accumulated in one structure`


CHANGES / INSTALL file Fixes 2018-07-04 20:18:48 +02:00			`The following changes have been made between LKRG 0.2 and 0.3:`
Update CHANGES file 2018-06-25 01:40:19 +02:00
CHANGES / INSTALL file Fixes 2018-07-04 20:18:48 +02:00			`*) [ED] Fix false positive caused via potential race condition when child`
			`process might be faster than mother returning from the fork()`
			`*) [ED] Change the logic and loglevel for message printed when racy situation`
			`at fork() appears`
			`*) [CI] Change assigned probabilities when integrity routine will be fired`
Update CHANGES file 2018-06-25 01:40:19 +02:00

Update CHANGELOG for v0.2 2018-03-22 18:20:32 +01:00			`The following changes have been made between LKRG 0.1 and 0.2:`

			`*) Add support for being loaded at early boot stage (e.g. from initramfs)`
			`*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks`
			`on random events (or only at regular intervals)`
			`*) Reduce performance impact, e.g. in our specific test case:`
			`-> Average cost of running a fully enabled LKRG => 2.5%`
			`-> Average cost of running LKRG without the code integrity checks on`
			`random events (disabled with the new sysctl) => 0.7%`
			`*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,`
			`which might sleep if CONFIG_PREEMPT_VOLUNTARY=y`
			`) [CI] Fix dynamic NOPs injected by _JUMP_LABEL for MWESTMERE`
			`) [CI] Remove false positives caused by _JUMP_LABEL in corner case scenarios`
			`*) [ED] Remove false positives when kernel executes usermode helper binaries`


Add CHANGELOG file 2018-02-08 20:08:45 +01:00			`The following changes have been made between LKRG 0.0 and 0.1:`

			`*) Support RHEL 7.4 kernels`
			`*) Make new compiler happy (gcc 7.3+)`
			`*) Improve Makefile`
			`*) Improve Exploit Detection performance and hardened 'off' flag`
			`*) Add support for kernel 4.15`
			`*) Use GPLv2 LICENSE`
			`*) Add INSTALL, CHANGELOG and PATREONS file`
			`*) Move SELinux integrity check to the workqueue`
			`) Fix how _JUMP_LABEL is handled when 0xCC byte is injected`
Update CHANGELOG for v0.2 2018-03-22 18:20:32 +01:00

			`Legend:`
			`[CI] - Code Integrity`
			`[ED] - Exploit Detection`