Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 14 Jun 2020 19:03:19 +0200
From: Solar Designer <>
Subject: Re: How can I check the effectiveness of p_lkrg?

Hi Jacek,

On Wed, Jun 10, 2020 at 05:36:00PM +0100, Pawel Krawczyk wrote:
> On 10/06/2020 08:59, Jacek wrote:
> >How can I check if p_lkrg is working properly or is it only working?
> >I tested some exploits, there is no trace in the logs of any p_lkrg action.
> Your kernel might be too new to trigger LKRG defences as all the 
> vulnerabilities used by these exploits were patched and are stopped 
> before even causing any anomalies. I had the same problem when trying 
> LKRG for the first time a few years ago (although then at least one 
> exploit triggered some alerts).

Pawel is correct - LKRG will only detect kernel exploits that were about
to succeed, which means you'd need to run them on a kernel vulnerable to
the issues being exploited.  Also, LKRG will not detect purely userspace
exploits and attacks.  However, you can test LKRG with kernel rootkits:

Also relevant is this slightly older thread on testing LKRG:

Unfortunately, we don't currently have a test suite we could release
publicly.  Maybe we should develop and release one.


P.S. Jacek, when you post to a mailing list on a new topic, please send
your message to the list posting address anew, not as a "reply".  In
this case, you used the "reply" feature, resulting in your message and
replies to it threaded along with messages in another unrelated thread.
That isn't pretty.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.