Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Nov 2018 20:03:31 +0400
From: Ilya Matveychikov <>
Subject: Re: LKRG 0.5

> On Nov 12, 2018, at 7:51 PM, Solar Designer <> wrote:


> Is the khook_demo module you have loaded part of what you call a LKRG
> bypass, or is it some unrelated demo/test you ran?  Is it part of what
> caused the crash?

Quick answer about KHOOK. You can find it at github:

> If it's part of the bypass, then that wouldn't count per our threat
> model unless you loaded the module while under illegitimate root access
> obtained via a kernel vulnerability exploit (in which case "ED" is meant
> to trigger on module loading attempt).  Simple loading of kernel modules
> (including custom ones) as legitimate root is allowed under LKRG -
> including modules that would substantially modify system behavior (e.g.,
> hook functions).

And yes, it’s a part of bypass where the point is that having protection
system (LKRG) and “malicious” module at the same level of abstraction worth
nothing to do with the security.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.