The developers of the Grsecurity project released information on security issues that were found in a proposed patch to improve Linux kernel security by a Huawei employee, the presence of a trivially exploited vulnerability in the patch set HKSP (Huawei Kernel Self Protection).
These “HKSP” patches were published by a Huawei employee 5 days ago and include the mention of Huawei in the GitHub profile and use the word Huawei in the decoding of the project name (HKSP - Huawei Kernel Self Protection), even though the emplado mentions that the project has nothing to do with the company and is his own.
This project has done my research in my spare time, the hksp name was given by myself, it is not related to Huawei company, there is no Huawei product that uses this code.
This patch code was created by me as one person doesn't have enough energy to cover everything. Therefore, there is a lack of quality assurance such as review and test.
About HKSP
HKSP includes changes such as randomization of structure tradeoffs, namespace attack protection User ID (pid namespace), process stack separation mmap area, kfree function double call detection, leak blocking via pseudo-FS / proc (/ proc / {modules, keys, key users}, / proc / sys / kernel / * and / proc / sys / vm / mmap_min_addr, / proc / kallsyms), improved randomization of addresses in user space, additional protection from Ptrace, improved protection for smap and smep, the ability to prohibit sending data through raw sockets, blocking addresses Invalid on UDP sockets and checks and the integrity of running processes.
The framework also includes the Ksguard kernel module, intended to identify attempts to introduce typical rootkits.
The patches sparked interest in Greg Kroah-Hartman, responsible for maintaining a stable branch of the Linux kernel, who will asked the author to divide the monolithic patch into parts to simplify the review and promotion to the central composition.
Kees Cook (Kees Cook), head of the project to promote active protection technology in the Linux kernel, also spoke positively about patches, and the issues drew attention to the x86 architecture and the nature of notification of many modes that only record information about the problem, but not Try to block it.
A patch study by the Grsecurity developers revealed many bugs and weaknesses in the code It also showed the absence of a threat model that allows an adequate evaluation of the project's capacities.
To illustrate that the code was written without using secure programming methods, An example of a trivial vulnerability is provided in the / proc / ksguard / state file handler, which is created with permissions 0777, which means everyone has write access.
The ksg_state_write function used to parse the commands written in / proc / ksguard / state creates a buffer tmp [32], in which the data is written based on the size of the passed operand, without considering the size of the destination buffer and without checking the parameter with the size of the string. In other words, to overwrite part of the kernel stack, the attacker only needs to write a specially crafted line in / proc / ksguard / state.
Upon receiving reply, the developer commented on the GitHub page of the project “HKSP” retroactively after the vulnerability discovery he also added a note that the project is progressing in his spare time for research.
Thanks to the security team for finding many bugs in this patch.
The ksg_guard is a sample bit for detecting rootkits at kernel level, user and kernel communication is launching the proc interface, my source purpose is to check the idea quickly so I don't add enough security checks.Actually verifying the rootkit at kernel level you still need to discuss with the community, if there is a need to design an ARK (anti rootkit) tool for Linux system ...