Linux Kernel Runtime Guard (LKRG) 1.0

Linux Kernel Runtime Guard (LKRG) is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel, prevention of and response to successful attacks, and encrypted remote logging. The project was founded by Adam 'pi3' Zabrocki, who invited Solar Designer to join and we released version 0.0 publicly in 2018 under Openwall umbrella (announced as Openwall's most controversial project to date). We have been extending and maintaining it since (as an independent project supported at various times by Binarly and CIQ). While we had a userbase using it in production (and did so ourselves) during all this time, now we're finally ready to call it mature and release 1.0.

This talk covers what LKRG is, its security and threat models, how it does what it does, and how it fits in the landscape (from kernel hardening patches to eBPF, and beyond Linux). Our perspective on long-term maintenance of a hackish out-of-tree module (where we hook and call into many more functions than the kernel exports) and supporting a wide range of kernel versions (still supporting from CentOS 7 "3.10" to latest 6.x mainline, as well as stable/longterm branches). Continuous Integration. Many trade-offs involved. Effectiveness so far (against rootkits and exploits). Bypasses so far and our stance on them. Nastiest bugs/issues so far and how we see the risks. Adoption in distros and products. Future work (evolution towards even greater maturity, improved self-protection, detection and prevention of userspace attacks). Beyond the slides: live demo of exploit detection and prevention, along with remote logging.