< NULLCON 2025 - BERLIN />

About the Speaker

CFP Live Bug Hunting Training Registration Sponsors Speakers Venue
GO BACK
img
Solar Designer
Security Engineer Openwall, CIQ

< Talk Title />

Linux Kernel Runtime Guard (LKRG) 1.0

< Talk Category />

Technical Speakers

< Talk Abstract />

Linux Kernel Runtime Guard (LKRG) is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel, prevention of and response to successful attacks, and encrypted remote logging. The project was founded by Adam 'pi3' Zabrocki, who invited Solar Designer to join and we released version 0.0 publicly in 2018 under Openwall umbrella (announced as Openwall's most controversial project to date), and we have been extending and maintaining it since (as an independent project supported at various times by Binarly and CIQ). While we had a userbase using it in production (and did so ourselves) during all this time, now we're finally ready to call it mature and release 1.0.

This talk covers what LKRG is, its security and threat models, how it does what it does, and how it fits in the landscape (from kernel hardening patches to eBPF, and beyond Linux). Our perspective on long-term maintenance of a hackish out-of-tree module (where we hook and call into many more functions than the kernel exports) and supporting a wide range of kernel versions (still supporting from CentOS 7 "3.10" to latest 6.x mainline, as well as stable/longterm branches). Continuous Integration. Many trade-offs involved. Effectiveness so far (against rootkits and exploits). Bypasses so far and our stance on them. Nastiest bugs/issues so far and how we see the risks. Adoption in distros and products. Future work (evolution towards even greater maturity, improved self-protection, detection and prevention of userspace attacks). Live demo or/and Q&A if time permits.

< Speaker Bio />

Alexander Peslyak, better known as Solar Designer, is the founder of Openwall, a community project and professional services company focused on security of Open Source software. He achieved a number of "firsts" in (anti-)exploitation of memory corruption vulnerabilities, co-authored much of Openwall's software including John the Ripper and other password security tools, runs the oss-security and (linux-)distros mailing lists - among many other past and current activities. Alexander spoke at numerous international conferences.

Alexander is currently at CIQ, which supports the Rocky Linux project and its SIG/Security, and builds commercial Linux distro products, including Rocky Linux from CIQ - Hardened (RLC-H) with LKRG enabled out-of-the-box.