Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Linux Kernel Runtime Guard (LKRG) 1.0

These are the slides of Solar Designer's talk at Nullcon Berlin 2025.

Linux Kernel Runtime Guard (LKRG) is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel, prevention of and response to successful attacks, and encrypted remote logging. The project was founded by Adam 'pi3' Zabrocki, who invited Solar Designer to join and we released version 0.0 publicly in 2018 under Openwall umbrella (announced as Openwall's most controversial project to date). We have been extending and maintaining it since (as an independent project supported at various times by Binarly and CIQ). While we had a userbase using it in production (and did so ourselves) during all this time, now we're finally ready to call it mature and release 1.0.

This talk covers what LKRG is, its security and threat models, how it does what it does, and how it fits in the landscape (from kernel hardening patches to eBPF, and beyond Linux). Our perspective on long-term maintenance of a hackish out-of-tree module (where we hook and call into many more functions than the kernel exports) and supporting a wide range of kernel versions (still supporting from CentOS 7 "3.10" to latest 6.x mainline, as well as stable/longterm branches). Continuous Integration. Many trade-offs involved. Effectiveness so far (against rootkits and exploits). Bypasses so far and our stance on them. Nastiest bugs/issues so far and how we see the risks. Adoption in distros and products. Future work (evolution towards even greater maturity, improved self-protection, detection and prevention of userspace attacks). Beyond the slides: live demo of exploit detection and prevention, along with remote logging.

Also relevant are our earlier presentations on LKRG: Linux kernel remote logging: approaches, challenges, implementation (2024), Linux Kernel Runtime Guard (LKRG) in a nutshell (2020), and Linux Kernel Runtime Guard (LKRG) under the hood (2018).

Please click on the slides for higher-resolution versions. You can also download a PDF file with all of the slides (13 MB) or view them on Speaker Deck.

335