| 导读 | OpenWall 近期开源了一个新的内核防护项目 LKRG(全称为 Linux Kernel Runtime Guard),这是一个可加载的核心模块,可用来检查 Linux 内核的运行完整性,并侦测针对该内核的攻击。 |
LKRG 是一个内核模块而非补丁,可用于主流的 Linux 发行版本中,主要有两大功能。一是在 Linux 系统中开发扩展功能时实施各种规定,以避免那些不被 Linux 内核支持的更改;另外一个则是侦测针对内核的攻击,例如当内核要根据未授权的凭证赋予读取权限时加以拦截。
不过,OpenWall 同时强调,LKRG 目前仍处于早期实验阶段,版本为 v0.0,不排除偶尔出现误报的情况。
ping attack!process[1486 | exploit_no_smap] has different ‘cred’ pointer [0xffff9560a5d886c0 vs 0xffff9560a5d88300]
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645653] [p_lkrg] Detected pointer swapping attack!process[1486 | exploit_no_smap] has different ‘real_cred’ pointer [0xffff9560a5d886c0 vs 0xffff9560a5d88300]
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645685] [p_lkrg] process[1486 | exploit_no_smap] has different UID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645704] [p_lkrg] process[1486 | exploit_no_smap] has different EUID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645723] [p_lkrg] process[1486 | exploit_no_smap] has different SUID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645742] [p_lkrg] process[1486 | exploit_no_smap] has different FSUID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645761] [p_lkrg] process[1486 | exploit_no_smap] has different GID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645780] [p_lkrg] process[1486 | exploit_no_smap] has different EGID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645799] [p_lkrg] process[1486 | exploit_no_smap] has different SGID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645817] [p_lkrg] process[1486 | exploit_no_smap] has different FSGID! 1000 vs 0
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645836] [p_lkrg] Detected SECCOMP corruption!process[1486 | exploit_no_smap] has corrupted TIF_SECCOMP flag! [1 vs 0]
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645862] [p_lkrg] Detected SECCOMP corruption!process[1486 | exploit_no_smap] has different SECCOMP mode! [SECCOMP_MODE_FILTER vs SECCOMP_MODE_DISABLED]
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645894] [p_lkrg] Detected SECCOMP corruption!process[1486 | exploit_no_smap] has different SECCOMP filter pointer! [0xffff9560a4345600 vs 0x (null)]
Dec 19 19:33:58 pi3-ubuntu kernel: [ 70.645925] [p_lkrg] Trying to kill process[exploit_no_smap | 1486]!
Dec 19 19:35:25 pi3-ubuntu kernel: [ 157.976342] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
相关链接
LKRG 的详细介绍:点击查看
LKRG 的下载地址:点击下载
文章转载自 开源中国社区 [http://www.oschina.net]
原创文章,作者:kepupublish,如若转载,请注明出处:https://blog.ytso.com/116897.html