Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 27 Mar 2018 20:33:07 +0200
From: Solar Designer <>
Subject: [openwall-announce] LKRG 0.2


We'd like to announce Linux Kernel Runtime Guard (LKRG) version 0.2:

The following changes have been made between LKRG 0.1 and 0.2:

*) Add support for being loaded at early boot stage (e.g. from initramfs)
*) [CI] Add a new sysctl to control whether LKRG performs code integrity checks
   on random events (or only at regular intervals)
*) Reduce performance impact, e.g. in our specific test case:
   -> Average cost of running a fully enabled LKRG => 2.5%
   -> Average cost of running LKRG without the code integrity checks on
      random events (disabled with the new sysctl) => 0.7%
*) [CI] Fix a potential deadlock bug caused by get_online_cpus() function,
   which might sleep if CONFIG_PREEMPT_VOLUNTARY=y
*) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE
*) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios
*) [ED] Remove false positives when kernel executes usermode helper binaries

[CI] - Code Integrity
[ED] - Exploit Detection

The "specific test case" mentioned above is building John the Ripper
1.8.0-jumbo-1 with "./configure CFLAGS='-O0'" (that is, with compiler
optimizations disabled in order to artificially reduce the amount of
processing in userspace and increase the frequency of syscalls, thereby
exposing LKRG's possible performance impact more) and "make -j8" on an
Atom C2750 machine (8 Silvermont cores) running VzLinux (Virtuozzo 7).
The performance impact is measured only for the "make -j8" step (that
is, at full system load, which is most relevant for server capacity).

Like before, this release is almost entirely due to work by Adam 'pi3'
Zabrocki.  Thanks, Adam!


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.