|
@solardiz | |||||
|
Unfortunately, Ilya does not provide such commentary himself (so far, and probably wouldn't). That's fine - we can't expect any volunteer effort, especially if his point of view and goals are perhaps different than ours. ;-) So we should probably provide the commentary ourselves.
|
||||||
|
||||||
|
Andrey Konovalov
@andreyknvl
|
8. sij |
|
Linux Kernel Runtime Guard (LKRG) bypass collection by Ilya Matveychikov, CC @Adam_pi3
github.com/milabs/lkrg-by…
|
||
|
|
||
|
Solar Designer
@solardiz
|
8. sij |
|
We appreciate Ilya's effort since it tests what protection LKRG provides or does not provide in practice, which is more nuanced than our general stance of "bypassable by design". To illustrate such nuance each bypass needs commentary on LKRG versions/settings and bypass efficacy.
|
||
|
|
||
|
Solar Designer
@solardiz
|
8. sij |
|
As far as I see, we did comment on all of the bypasses seen in that repo so far, on the lkrg-users mailing list. We also addressed many of these in newer LKRG. Now that Ilya collected the bypasses so nicely in that repo, we should perhaps also collect our commentary in one place.
|
||
|
|
||
|
Solar Designer
@solardiz
|
10. sij |
|
Update: Ilya himself has added a README, which explains some of those things. Great! We're not convinced by his reasoning against SMEP, though. Yes, ROP can bypass SMEP, but can one build fake stack frames to bypass LKRG's pCFI with ROP (remember it's the same stack)? We'll see.
|
||
|
|
||