Saturday, March 6, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Linux to get kernel ‘lockdown’ feature

September 30, 2019
in Internet Security
Linux to get kernel ‘lockdown’ feature
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

After years of countless reviews, discussions, and code rewrites, Linus Torvalds approved on Saturday a new security feature for the Linux kernel, named “lockdown.”

The new feature will ship as a LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where it will be turned off by default; usage being optional due to the risk of breaking existing systems.

You might also like

Zigbee inside the Mars Perseverance Mission and your smart home

FTC joins 38 states in takedown of massive charity robocall operation

Accellion zero-day claims a new victim in cybersecurity company Qualys

Putting a leash on the root account

The new feature’s primary function will be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code — something that it’s been able to do, by design, until now.

When enabled, the new “lockdown” feature will restrict some kernel functionality, even for the root user, making it harder for compromised root accounts to compromise the rest of the OS.

“The lockdown module is intended to allow for kernels to be locked down early in [the] boot [process],” said Matthew Garrett, the Google engineer who proposed the feature a few years back.

“When enabled, various pieces of kernel functionality are restricted,” said Linus Torvalds, Linux kernel creator, and the one who put the final stamp of approval on the module yesterday.

This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by userland processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others, detailed here.

Two lockdown modes

The new module will support two lockdown modes, namely “integrity” and “confidentiality.” Each is unique, and restricts access to different kernel functionality.

“If set to integrity, kernel features that allow userland to modify the running kernel are disabled,” said Torvalds.

“If set to confidentiality, kernel features that allow userland to extract confidential information from the kernel are also disabled.”

If necessary, additional lockdown modes can also be added on top, but this will require an external patch, on top of the lockdown LSM.

A long time coming

Work on the kernel lockdown feature started in the early 2010s, and was spearheaded by now-Google engineer, Matthew Garrett.

The idea behind the kernel lockdown feature was to create a security mechanism to prevent users with elevetated permissions — even the vaunted “root” account — from tampering with the kernel’s code.

Back then, even if Linux systems were employing secure boot mechanisms, there were still ways that malware could abuse drivers, root accounts, and user accounts with special elevated privileges to tamper with the kernel’s code, and by doing so, gain boot persistence and a permanent foothold on infected systems.

Many security experts have asked across the years that the Linux kernel support a more potent way to restrict the root account and improve kernel security.

The main opposition came from Torvalds, who was one of the feature’s most ardent critics, especially in its early days.

As a result, many Linux distros, such as Red Hat, developed their own Linux kernel patches that added a lockdown feature on top of the mainline kernel. However, the two parties reached a middleground in 2018, and work progressed on the lockdown feature this year.

“The majority of mainstream distributions have been carrying variants of this patchset for many years now, so there’s value in providing a doesn’t meet every distribution requirement, but gets us much closer to not requiring external patches,” Torvalds said yesterday.

“Applications that rely on low-level access to either hardware or the kernel may cease working as a result – therefore this should not be enabled without appropriate evaluation beforehand.”

The news that a kernel lockdown module has been finally approved has been greeted positively in the Linux and cyber-security communities.

Windows Vista: Let’s lock down the kernel
Linux 3.x: lul root is kernel brah
…
Windows 10: Kernel arbitrary writes from Admin are not bugs, there’s a party in ring0 and the bouncer is off duty
Linux 5.x: hey, let’s lock down the kernel https://t.co/ex8p8tCLmR

— Alex Ionescu (@aionescu) September 29, 2019

Downstream distros like Ubuntu have shipped a previous version of this for a while now (to try and ensure UEFI Secure Boot cannot be subverted) so it is great to see this finally upstream

— Alex Murray (@alex_murray) September 30, 2019


Credit: Zdnet

Previous Post

Discover How IoT Escalates Vehicle Fleet Safety.

Next Post

'Backronym' May Help To Generate Ideas in Machine Learning by Visualizing Hundreds of Research Papers Together

Related Posts

Zigbee inside the Mars Perseverance Mission and your smart home
Internet Security

Zigbee inside the Mars Perseverance Mission and your smart home

March 6, 2021
FTC joins 38 states in takedown of massive charity robocall operation
Internet Security

FTC joins 38 states in takedown of massive charity robocall operation

March 5, 2021
Accellion zero-day claims a new victim in cybersecurity company Qualys
Internet Security

Accellion zero-day claims a new victim in cybersecurity company Qualys

March 5, 2021
GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
Internet Security

GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines

March 5, 2021
With its acquisition of Auth0, Okta goes all in on CIAM
Internet Security

With its acquisition of Auth0, Okta goes all in on CIAM

March 5, 2021
Next Post
‘Backronym’ May Help To Generate Ideas in Machine Learning by Visualizing Hundreds of Research Papers Together

'Backronym' May Help To Generate Ideas in Machine Learning by Visualizing Hundreds of Research Papers Together

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine learning the news for better macroeconomic forecasting
Machine Learning

Reducing Blind Spots in Cybersecurity: 3 Ways Machine Learning Can Help

March 6, 2021
5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021
Neural Networks

5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021

March 6, 2021
Zigbee inside the Mars Perseverance Mission and your smart home
Internet Security

Zigbee inside the Mars Perseverance Mission and your smart home

March 6, 2021
Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!
Internet Privacy

Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!

March 6, 2021
Autonomous Cars And Minecraft Have This In Common  
Artificial Intelligence

Autonomous Cars And Minecraft Have This In Common  

March 5, 2021
The ML Times Is Growing – A Letter from the New Editor in Chief – Machine Learning Times
Machine Learning

Explainable Machine Learning, Model Transparency, and the Right to Explanation « Machine Learning Times

March 5, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Reducing Blind Spots in Cybersecurity: 3 Ways Machine Learning Can Help March 6, 2021
  • 5 Tech Trends Redefining the Home Buying Experience in 2021 | by Iflexion | Mar, 2021 March 6, 2021
  • Zigbee inside the Mars Perseverance Mission and your smart home March 6, 2021
  • Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked! March 6, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates