Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [day] [month] [year] [list]
Date: Tue, 27 Mar 2018 20:33:07 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com
Subject: LKRG 0.2

Hi,

We'd like to announce Linux Kernel Runtime Guard (LKRG) version 0.2:

http://www.openwall.com/lkrg/

The following changes have been made between LKRG 0.1 and 0.2:

*) Add support for being loaded at early boot stage (e.g. from initramfs)
*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks
   on random events (or only at regular intervals)
*) Reduce performance impact, e.g. in our specific test case:
   -> Average cost of running a fully enabled LKRG => 2.5%
   -> Average cost of running LKRG without the code integrity checks on
      random events (disabled with the new sysctl) => 0.7%
*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,
   which might sleep if CONFIG_PREEMPT_VOLUNTARY=y
*) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE
*) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios
*) [ED] Remove false positives when kernel executes usermode helper binaries

Legend:
[CI] - Code Integrity
[ED] - Exploit Detection

The "specific test case" mentioned above is building John the Ripper
1.8.0-jumbo-1 with "./configure CFLAGS='-O0'" (that is, with compiler
optimizations disabled in order to artificially reduce the amount of
processing in userspace and increase the frequency of syscalls, thereby
exposing LKRG's possible performance impact more) and "make -j8" on an
Atom C2750 machine (8 Silvermont cores) running VzLinux (Virtuozzo 7).
The performance impact is measured only for the "make -j8" step (that
is, at full system load, which is most relevant for server capacity).

Like before, this release is almost entirely due to work by Adam 'pi3'
Zabrocki.  Thanks, Adam!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ