Abaphuhlisi beprojekthi yoKhuseleko ikhuphe ulwazi ngemicimbi yezokhuseleko ezafunyanwa Kwisiqwengana esicetywayo sokuphucula ukhuseleko lweLinux ngumsebenzi weHuawei, ubukho bokuba semngciphekweni kancinci okusetyenzisiweyo kwiseti yepatch I-HKSP (IHuawei Kernel Ukuzikhusela).
Ezi ziqwengana "HKSP" zapapashwa ngumsebenzi weHuawei kwiintsuku ezi-5 ezidlulileyo kwaye zibandakanya ukukhankanywa kukaHuawei kwiprofayili yeGitHub kwaye usebenzise igama elithi Huawei ekuchazeni igama leprojekthi (HKSP - Huawei Kernel Self Protection), nangona I-emplado ikhankanya ukuba le projekthi ayinanto yakwenza nenkampani kwaye yeyakhe.
Le projekthi yenze uphando lwam ngexesha lasimahla, igama le-hksp lanikwa ngokwam, alihambelani nenkampani yeHuawei, akukho mveliso yeHuawei isebenzisa le khowudi.
Le khowudi yesiqwengana yenziwe ndim, njengoko umntu omnye engenawo amandla aneleyo okugubungela yonke into. Ke ngoko, kukho ukunqongophala kokuqinisekiswa komgangatho njengokujonga kunye novavanyo.
Malunga neHKSP
HKSP ibandakanya utshintsho olunje ngokungahleliwe ulwakhiwo lwee-tradeoffs, ukhuseleko kuhlaselo lwendawo ye-ID yomsebenzisi (i-namespace pid), Inkqubo yokuhlukanisa ukwahlula Ukusuka kwindawo ye-mmap, umsebenzi we-kfree wokufumana ubizo kabini, ukuvimba ukuvuza nge-pseudo-FS / proc (/ proc / {iimodyuli, amaqhosha, abasebenzisi abaphambili), / proc / sys / kernel / * kunye / proc / sys / vm / mmap_min_addr, / proc / kallsyms), ukuphuculwa kokungeniswa kweedilesi kwindawo yomsebenzisi, ukhuseleko olongezelelekileyo kwi-Ptrace, ukhuseleko oluphuculweyo lwe-smap kunye ne-smep, ukukwazi ukuthintela ukuthumela idatha kwiziseko eziluhlaza, ukuvimba iidilesi Akuvumelekanga kwiziseko ze-UDP kunye nokutshekishwa kunye nokunyaniseka kweenkqubo ezisebenzayo.
Isakhelo sikwabandakanya imodyuli ye-Ksguard kernel, ejolise ekuchongeni iinzame zokwazisa iingcambu eziqhelekileyo.
Amabala abangela umdla kuGreg Kroah-Hartman, linoxanduva lokugcina isebe elizinzileyo le Linux kernel, oya kuthi ubuze umbhali ukuba ahlule isicatshulwa se-monolithic kwiindawo ezithile ukwenza lula uphononongo kunye nokunyuselwa kulwakhiwo oluphambili.
Kees Cook (Kees Cook), intloko yeprojekthi ukukhuthaza itekhnoloji yokhuseleko olusebenzayo kwi-kernel yeLinux, nayo yathetha ngokuqinisekileyo malunga neepatches, kwaye imiba yatsalela ingqalelo kuyilo lwe-x86 kunye nohlobo lwesaziso seendlela ezininzi ezirekhodayo ulwazi malunga nengxaki, kodwa ungazami ukuyivimba.
Isifundo sepatch ngabaphuhlisi boKhuseleko ityhile uninzi lweebugs kunye nobuthathaka kwikhowudi Ikwabonakalise ukungabikho kwemodeli yesoyikiso evumela uvavanyo olwaneleyo kumandla eprojekthi.
Ukubonisa ukuba ikhowudi ibhaliwe ngaphandle kokusebenzisa iindlela ezikhuselekileyo zenkqubo, Umzekelo wobuthathaka obuncinci ubonelelwe kwi / proc / ksguard / state handler handler, eyenziweyo eneemvume 0777, oko kuthetha ukuba wonke umntu unokufikelela ekubhaleni.
Umsebenzi we-ksg_state_write osetyenziselwa ukwahlula imiyalelo ebhaliweyo kwi / proc / ksguard / state yenza i-tmp ye-tmp [32], apho idatha ibhaliwe ngokusekwe kubungakanani be-operand edlulisiweyo, ngaphandle kokujonga ubungakanani besikhombisi sokuya kwaye ngaphandle kokujonga ipharamitha enobungakanani bomtya. Ngamanye amagama, ukubhala ngaphezulu kwenxalenye yesitaki se kernel, umhlaseli ufuna kuphela ukubhala umgca owenziwe ngokukodwa kwi / proc / ksguard / state.
Emva kokufumana impendulo, umphuhlisi uphawule kwiphepha leGitHub leprojekthi "HKSP" emva kokubhaqwa komngcipheko kwakhona wongeze inqaku lokuba le projekthi iqhubeka ngexesha lakhe lokuzenzela uphando.
Enkosi kwiqela lezokhuseleko ngokufumana iibugs ezininzi kwesi siqwenga.
I-ksg_guard sisampulu esincinci sokufumana i-rootkits kwinqanaba le-kernel, umsebenzisi kunye nonxibelelwano lwe-kernel liqalise ujongano lwe-proc, eyona njongo yam kukujonga umbono ngokukhawuleza ukuze ndingadibanisi ngokwaneleyo ukhuseleko.Ngokwenyani ukungqinisisa i-rootkit kwinqanaba le-kernel kusafuneka uxoxe noluntu, ukuba ufuna ukuyila isixhobo se-ARK (anti rootkit) senkqubo yeLinux ...