mirror of
https://github.com/openwall/lkrg.git
synced 2023-12-13 21:30:29 +01:00
164 lines
8.6 KiB
Text
164 lines
8.6 KiB
Text
The following changes have been made between LKRG 0.7 and 0.8:
|
|
|
|
*) Add support for kernels 5.3+ (JUMP_LABEL batch mode), 5.5+ and 5.6+ (other
|
|
changes in JUMP_LABEL), 5.7+ (unexported kallsyms_lookup_name symbol)
|
|
*) Add experimental support for 32-bit ARM, tested on Raspberry Pi 3 Model B
|
|
*) Add experimental support for Raspberry Pi 4, tested on board revision c03112
|
|
(we had already included general support for AArch64 (ARM64) in LKRG 0.7)
|
|
*) Redesign LKRG's presentation of its feature set to the user (sysadmin), no
|
|
longer presenting it as having separate Code Integrity and Exploit Detection
|
|
components, but instead LKRG as a whole working to detect various integrity
|
|
violations (not only of code, and possibly caused by exploits) and attacks
|
|
*) Introduce many separate knobs (each available as a sysctl and a module
|
|
parameter) for fine-grained tuning of LKRG's detection of violations and
|
|
attacks (validation), as well as its response to those (enforcement)
|
|
*) Introduce the notion of LKRG validation and enforcement profiles, which are
|
|
pre-defined sets of recommended values of the fine-grained tuning knobs.
|
|
These profiles may be quickly activated via the lkrg.profile_validate and
|
|
lkrg.profile_enforce sysctl settings.
|
|
*) Change the defaults to achieve a better balance between the likelihood of
|
|
timely detection of violations and attacks and effective response to those
|
|
vs. performance impact and risk of false positives. Most notable for the
|
|
user (sysadmin) is that we consider LKRG mature enough to respond to kernel
|
|
integrity violations by triggering a kernel panic (as there's no other
|
|
effective response), which is now the default, but we recommend initially
|
|
testing new installs of LKRG with that action temporarily disabled in order
|
|
to safely detect potential system-specific false positives and only proceed
|
|
with installation if there are none.
|
|
*) Rework the optional systemd unit file so that LKRG is loaded at an earlier
|
|
stage of system bootup, but can be disabled via the kernel command-line.
|
|
*) Rework the documentation, including to reflect the above changes. The
|
|
INSTALL file has been replaced by README, which is now much more extensive.
|
|
The CONCEPTS file has been added (using content from the LKRG homepage).
|
|
|
|
|
|
The following changes have been made between LKRG 0.6 and 0.7:
|
|
|
|
*) Refactor LKRG code to support multiple CPU architectures
|
|
*) Add experimental support for ARM64
|
|
*) Add experimental support for grsecurity kernels (with some limitations)
|
|
*) Add support for kernels 5.1 and 5.2 (and hopefully beyond)
|
|
*) Add support for kernels without enabled CONFIG_DYNAMIC_DEBUG
|
|
*) Add support for kernels without enabled CONFIG_ACPI
|
|
*) Add support for kernels without enabled CONFIG_STACKTRACE
|
|
*) Add support for kernels with enabled CONFIG_STATIC_USERMODEHELPER
|
|
*) [CI] Fix race condition with *_JUMP_LABEL engine resulting in potential
|
|
deadlock when LKRG is initialized in parallel with other heavy kernel module
|
|
(un)loading events
|
|
*) [CI] Re-enable self-hashing
|
|
*) [ED] Change the logic how LKRG tracks a newly created task in the system
|
|
*) [ED] Rewrite internal logic how LKRG synchronizes with the task's resources
|
|
*) [ED] Filter our kernel threads and system-init process when validation is
|
|
performed bypassing threads iteration
|
|
*) [ED] Disable IRQ in most cases when LKRG's PIDs database lock is taken.
|
|
Otherwise, we could have potential race and deadlock with kprobe engine
|
|
itself, and SoftIRQs could deadlock with LKRG's pCFI.
|
|
*) [ED] Fix potential FP during LKRG unloading procedure and add memory barrier
|
|
*) [ED] Fix logic for *init_module/delete_module for kernels with
|
|
CONFIG_ARCH_HAS_SYSCALL_WRAPPER
|
|
*) [ED] Fix FP (race condition) in pCFI in glitching scenario during process
|
|
update, and add memory barrier
|
|
*) [ED] Fix potential glitch in pCFI
|
|
*) [ED] Add support for OverlayFS (which is commonly used by Docker)
|
|
*) [ED] Whitelist Ubuntu Apport (thanks to Pawel Krawczyk)
|
|
*) [ED] Enforce stack pointer validation on lookup_fast function
|
|
*) [ED] Add SMEP/WP bit verification (and re-enforcement) in more places
|
|
*) [ED] Refactor some of the logic to be compatible with x86 lacking SMEP
|
|
*) [ED] Add new sysctl lkrg.smep_panic (only on x86, enabled by default)
|
|
*) [ED] Add new sysctl lkrg.umh_lock (disabled by default)
|
|
*) Update INSTALL to document the new sysctl's and the previously undocumented
|
|
lkrg.hide sysctl
|
|
*) Minor change of initialization logic
|
|
*) Add potential debug compilation option to Makefile
|
|
*) Mute the most noisy STRONG_DEBUG output by default
|
|
*) Don't export global CFLAGS since it might be incompatible when LKRG is part
|
|
of a bigger project's build
|
|
*) Restore terminal colors when systemd service installation fails
|
|
|
|
|
|
The following changes have been made between LKRG 0.5 and 0.6:
|
|
|
|
*) [CI] Protect SMEP bit in CR4 and WP bit in CR0 on x86 architecture
|
|
*) [CI] Reimplement *_JUMP_LABEL support: simpler and needs a lot less memory
|
|
*) [CI] Propagate errors when kzalloc() fails
|
|
*) [ED] Introduce pCFI mitigation (poor man's Control Flow Integrity) against
|
|
unintended invocation of a few kernel functions especially useful in
|
|
exploits
|
|
*) [ED] Lock down the usermodehelper interface with a whitelist of programs
|
|
*) [ED] Fix false positive on seccomp(SECCOMP_SET_MODE_FILTER,
|
|
SECCOMP_FILTER_FLAG_TSYNC, ...) failing, where we must revert all threads'
|
|
settings but did not (we do now)
|
|
*) [ED] Freeze all user mode processes during Exploit Detection initialization
|
|
to avoid false positives
|
|
*) [ED] Minor change in how SIGKILL is delivered to the corrupted task
|
|
*) Fix build error on Linux 4.17+ without CONFIG_ARCH_HAS_SYSCALL_WRAPPER
|
|
*) Add LKRG early boot systemd unit file. (Similar optional functionality for
|
|
other init systems may be added later. Contributions are welcome.)
|
|
*) Add install/uninstall make targets, which deploy/remove the systemd service
|
|
|
|
|
|
The following changes have been made between LKRG 0.4 and 0.5:
|
|
|
|
*) [CI] Add *_JUMP_LABEL support for kernel modules (a major change)
|
|
*) [CI] Add support for "cold" function versions generated by new GCC -
|
|
necessary to correctly handle *_JUMP_LABEL
|
|
*) [CI] Change output message format when *_JUMP_LABEL was detected for kernel
|
|
module's .text section
|
|
*) [CI] Add new sysctl interface - optional panic() on CI verification failure
|
|
*) [ED] Hook generic_permission() instead of may_open()
|
|
*) [ED] Hook and correctly handle override_creds() / revert_creds()
|
|
*) Add Mikhail Klementev's patches for Makefile, .gitignore and missing include
|
|
|
|
|
|
The following changes have been made between LKRG 0.3 and 0.4:
|
|
|
|
*) [ED] Fix a potential kretprobe glitch that could happen in a very rare
|
|
corner case on heavily loaded SMP machines (resulting in a false positive)
|
|
*) [ED] Change some of the printed messages for log_level=4
|
|
*) [ED] Add support for 4.17+ kernels. This is a pretty big change addressing:
|
|
a) New logic of how syscall stubs are created; CONFIG_X32_X86 and
|
|
CONFIG_COMPAT now have separate stubs
|
|
b) SELinux variables are now accumulated in one structure
|
|
|
|
|
|
The following changes have been made between LKRG 0.2 and 0.3:
|
|
|
|
*) [ED] Fix false positive caused via potential race condition when child
|
|
process might be faster than mother returning from the fork()
|
|
*) [ED] Change the logic and loglevel for message printed when racy situation
|
|
at fork() appears
|
|
*) [CI] Change assigned probabilities when integrity routine will be fired
|
|
|
|
|
|
The following changes have been made between LKRG 0.1 and 0.2:
|
|
|
|
*) Add support for being loaded at early boot stage (e.g. from initramfs)
|
|
*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks
|
|
on random events (or only at regular intervals)
|
|
*) Reduce performance impact, e.g. in our specific test case:
|
|
-> Average cost of running a fully enabled LKRG => 2.5%
|
|
-> Average cost of running LKRG without the code integrity checks on
|
|
random events (disabled with the new sysctl) => 0.7%
|
|
*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,
|
|
which might sleep if CONFIG_PREEMPT_VOLUNTARY=y
|
|
*) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE
|
|
*) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios
|
|
*) [ED] Remove false positives when kernel executes usermode helper binaries
|
|
|
|
|
|
The following changes have been made between LKRG 0.0 and 0.1:
|
|
|
|
*) Support RHEL 7.4 kernels
|
|
*) Make new compiler happy (gcc 7.3+)
|
|
*) Improve Makefile
|
|
*) Improve Exploit Detection performance and hardened 'off' flag
|
|
*) Add support for kernel 4.15
|
|
*) Use GPLv2 LICENSE
|
|
*) Add INSTALL, CHANGELOG and PATREONS file
|
|
*) Move SELinux integrity check to the workqueue
|
|
*) Fix how *_JUMP_LABEL is handled when 0xCC byte is injected
|
|
|
|
|
|
Legend:
|
|
[CI] - Code Integrity
|
|
[ED] - Exploit Detection
|