LWN: Comments on "Kernel runtime security instrumentation" https://lwn.net/Articles/798157/ This is a special feed containing comments posted to the individual LWN article titled "Kernel runtime security instrumentation". en-us Mon, 29 Sep 2025 15:57:33 +0000 Mon, 29 Sep 2025 15:57:33 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net Kernel runtime security instrumentation https://lwn.net/Articles/798914/ https://lwn.net/Articles/798914/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; a kernel level vm running a limited language</font><br> In case of Kaspersky Antivirus this VM actually is (or used to be as of ~5 years ago) position-independent x86 code that is checked to not include loops or external calls. Kinda like JIT-compiled eBPF :)<br> </div> Wed, 11 Sep 2019 07:51:59 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798908/ https://lwn.net/Articles/798908/ cpitrat <div class="FormattedComment"> I'd expect some kind of justification when you call jerks a significant number of security researchers who use honeypots.<br> <p> Otherwise, I can do it too:<br> If you don't isolate the host, you're not being a jerk. <br> <p> Ok you said: "because you're knowingly providing connected resources to a bad actor." But anybody can have connected resources and it's very cheap. Look, I'm using one to answer you.<br> <p> If you think about a botnet of honeypots, I think your either overestimating the number of honeypots, their lifespan or underestimating the number of hosts required for a useful botnet.<br> </div> Wed, 11 Sep 2019 05:48:52 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798907/ https://lwn.net/Articles/798907/ ssmith32 <div class="FormattedComment"> If you don't isolate the host, even ignoring security concerns, you're just kinda being a jerk, because you're knowingly providing connected resources to a bad actor. Yes, caveats may apply, but, in general, you should isolate it. Note that trying to justify not isolating it by wanting to gather more info for a more for an exciting security blog/research paper does not qualify as a caveat.. <br> </div> Wed, 11 Sep 2019 05:17:08 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798906/ https://lwn.net/Articles/798906/ ssmith32 <div class="FormattedComment"> Ok, I'm not sure how relevant it is, but that paper was from over 10 years, when Symantec was all bent out of shape that Microsoft's drivers were going to be able to do things it's drivers - written largely without code review and QA - couldn't.<br> <p> Some rumblings about anti trust later, an API was provided, Symantec realized windows was a dying revenue stream, and you haven't seen much work in the area since. So it's a bit of an unknown. <br> </div> Wed, 11 Sep 2019 05:05:00 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798905/ https://lwn.net/Articles/798905/ ssmith32 <div class="FormattedComment"> Sooo... a "Safe Mode". Just hold insert while it boots!<br> <p> Yeah, cheap shot, but toooo easy. I'll be quiet now. <br> </div> Wed, 11 Sep 2019 04:54:25 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798903/ https://lwn.net/Articles/798903/ ssmith32 <div class="FormattedComment"> Well, in the defense of Cyberax, the only other software that I've ever seen that attempts the same goal (detecting and reacting to actions that violate a security policy), in the same manner (a kernel level vm running a limited language that allows hooks to be dynamically added over time), was commercially marketed as antivirus software.<br> <p> {rant}<br> On the other hand, KRSI is not attempting to call out to central servers, nor is it maintaining a large and ever-growing blacklist in something referred to as a "memory-mapped" file, which actually refers to home brewed code designed to swap memory contents to disk. A list from which nothing can be removed, even if designed to detect old DOS floppy malware, out of fear of failing some dog &amp; pony show that putatively somehow relates to how effective it is. Nor does it incorporate code from a wide variety of engineers that is completely unreviewed and never QA'd. Nor does it attempt to do whatever it can to insert itself wherever it can in kernel memory. And, oh yeah, is produced and managed solely for profit.<br> {\rant}<br> <p> In other words, there are a few differences too... ;)<br> <p> </div> Wed, 11 Sep 2019 04:51:56 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798712/ https://lwn.net/Articles/798712/ Cyberax <div class="FormattedComment"> It's pretty clear that the idea here is to create something like Windows antiviruses, an automatic tool to detect malicious patterns and try to counteract them.<br> <p> Unfortunately, the patch authors don't seem to have nearly enough experience with that kind of stuff. Modern Windows antiviruses have multiple layers or defenses, they intrude into the very heart of the OS. Windows itself scans and checksums its internal control structures (PatchGuard, CodeIntegrity), and antiviruses tune it up to 11. Which is kinda awe inspiring - it's like watching CoreWar.<br> <p> Yet it's still not enough. All the OS protections have been bypassed ( <a href="https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/assessment-windows-vista-kernel-mode-06-en.pdf">https://www.symantec.com/content/dam/symantec/docs/securi...</a> ) and malware now routinely bypasses antiviruses. This is because attacks don't get worse, they always keep getting better.<br> </div> Sun, 08 Sep 2019 07:08:38 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798711/ https://lwn.net/Articles/798711/ jezuch <div class="FormattedComment"> Well, my thought was that you would investigate while limiting potential damage so that you don't alert the attackers so that you have some more time to identify them. But I'm not a security expert and this sounds dangerous even to me so I don't expect this to be a plausible scenario.<br> </div> Sun, 08 Sep 2019 06:48:17 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798706/ https://lwn.net/Articles/798706/ kpsingh <div class="FormattedComment"> <font class="QuotedText">&gt; We are doing performance comparisons and it's not.</font><br> <font class="QuotedText">&gt; Then improve it. Translate audit rules into BPF and run them.</font><br> <p> Feel free to go that route and suggest / make improvements to audit. Audit does not meet our other key requirement of having the MAC and signaling (auditing) possible with a single API, which is something that you are not constrained by (based on your comments)<br> </div> Sat, 07 Sep 2019 22:17:16 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798705/ https://lwn.net/Articles/798705/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; We are doing performance comparisons and it's not.</font><br> Then improve it. Translate audit rules into BPF and run them.<br> <p> <font class="QuotedText">&gt; It's got to do with your statement: "If you have a "vulnerable binary" then why the hell it's not deleted?"</font><br> How do you recognize that a binary was used for nefarious purposes?<br> <p> <font class="QuotedText">&gt; Environment variables is one use case where one needs to use a signal that audit does not currently provide.</font><br> Then extend it, rather than create a completely new system. Is there anything else that is not covered by audit subsystem and that is not a trivial addition?<br> <p> <font class="QuotedText">&gt; I disagree. It's about building defense in depth. The more hoops an attacker has to jump to attack you, the slower and harder it gets for them. Anyways, I am happy to hear if you have a constructive solution. Otherwise, this discussion is simply leading nowhere.</font><br> The constructive solution is simple - improve audit subsystem instead of adding more eBPF.<br> </div> Sat, 07 Sep 2019 22:04:17 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798701/ https://lwn.net/Articles/798701/ kpsingh <div class="FormattedComment"> <font class="QuotedText">&gt;And so will be eBPF. There's also a low-hanging fruit of using BPF to JIT-compile the audit rules.</font><br> ^^^^^^^^^^^^^^^^^^^<br> We are doing performance comparisons and it's not.<br> <p> <font class="QuotedText">&gt;&gt; Patching / deleting a binary on a really huge number of servers cannot be done in seconds.</font><br> <font class="QuotedText">&gt; What does it have to do with audit slowness?</font><br> <p> It's got to do with your statement: "If you have a "vulnerable binary" then why the hell it's not deleted?"<br> <p> <font class="QuotedText">&gt; Do environment variables actually pose a significant threat to warrant a new full-blown, user-controlled arbitrary code injection facility on the critical paths? Can it itself be abused to create livelocks/deadlocks? Can an adversary use it to frustrate efforts to recover? ....</font><br> <p> Environment variables is one use case where one needs to use a signal that audit does not currently provide. We are **not** talking about unprivileged eBPF here, it needs CAP_SYS_ADMIN and CAP_MAC_ADMIN. If privileged users want to shoot themselves in their feet, they have plenty other opportunities. <br> <p> <font class="QuotedText">&gt; The development cycle for adding a new signal and then some new policy based on the signal, e.g. a permission error if you set the same environment variable twice, touches many components and this is an attempt to fix that.</font><br> <font class="QuotedText">&gt; I contend that none of this is even needed, as it's going to be useless and trivial to bypass.</font><br> <p> I disagree. It's about building defense in depth. The more hoops an attacker has to jump to attack you, the slower and harder it gets for them. Anyways, I am happy to hear if you have a constructive solution. Otherwise, this discussion is simply leading nowhere.<br> <p> </div> Sat, 07 Sep 2019 20:52:49 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798700/ https://lwn.net/Articles/798700/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; You yourself mentioned auditing is a giant slowdown. So, you are now contradicting yourself! </font><br> And so will be eBPF. There's also a low-hanging fruit of using BPF to JIT-compile the audit rules.<br> <p> <font class="QuotedText">&gt; Patching / deleting a binary on a really huge number of servers cannot be done in seconds.</font><br> What does it have to do with audit slowness?<br> <p> <font class="QuotedText">&gt; Can you audit environment variables with audit? No you cannot!</font><br> <font class="QuotedText">&gt; What do you need to do to add support? Change a lot of stuff, the policy language, auditd, parsers etc.</font><br> Do environment variables actually pose a significant threat to warrant a new full-blown, user-controlled arbitrary code injection facility on the critical paths? Can it itself be abused to create livelocks/deadlocks? Can an adversary use it to frustrate efforts to recover? ....<br> <p> <font class="QuotedText">&gt; The development cycle for adding a new signal and then some new policy based on the signal, e.g. a permission error if you set the same environment variable twice, touches many components and this is an attempt to fix that.</font><br> I contend that none of this is even needed, as it's going to be useless and trivial to bypass.<br> </div> Sat, 07 Sep 2019 20:26:04 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798698/ https://lwn.net/Articles/798698/ kpsingh <div class="FormattedComment"> You yourself mentioned auditing is a giant slowdown. So, you are now contradicting yourself! <br> <p> Patching / deleting a binary on a really huge number of servers cannot be done in seconds.<br> <p> Can you audit environment variables with audit? No you cannot! <br> <p> What do you need to do to add support? Change a lot of stuff, the policy language, auditd, parsers etc.<br> <p> The development cycle for adding a new signal and then some new policy based on the signal, e.g. a permission error if you set the same environment variable twice, touches many components and this is an attempt to fix that.<br> <p> </div> Sat, 07 Sep 2019 19:21:20 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798693/ https://lwn.net/Articles/798693/ Cyberax <div class="FormattedComment"> What signals? Seriously, where is an example of use with an example of mitigated damage and that can't be done with existing audit infrastructure?<br> <p> All I see is handwaving like:<br> <p> <font class="QuotedText">&gt; There could be dynamic whitelists or blacklists of various sorts, for kernel modules that can be loaded, for instance, to prevent known vulnerable binaries from executing, or stopping binaries from loading a core library that is vulnerable to ensure that updates are done.</font><br> If you have a "vulnerable binary" then why the hell it's not deleted?<br> <p> For me personally the last thing I want is more of SELinux-style security theater that _will_ inevitably break in various exciting ways.<br> </div> Sat, 07 Sep 2019 19:07:52 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798692/ https://lwn.net/Articles/798692/ kpsingh <div class="FormattedComment"> Because you can create signals dynamically with the krsi eBPF<br> <p> PS: I don't intend to reply further if your communication stays unprofessional.<br> </div> Sat, 07 Sep 2019 18:58:50 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798689/ https://lwn.net/Articles/798689/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; You say that once you find out you are attacked, the host should be completely isolated. (While I do not agree with this). Even if one was to agree with you, the detection cannot simply happen without effective monitoring of security signals. </font><br> And so why does this need yet even more eBPF crap?<br> </div> Sat, 07 Sep 2019 18:44:57 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798684/ https://lwn.net/Articles/798684/ kpsingh <div class="FormattedComment"> You say that once you find out you are attacked, the host should be completely isolated. (While I do not agree with this). Even if one was to agree with you, the detection cannot simply happen without effective monitoring of security signals. <br> <p> Whether you chose to block the specific malicious activity or the host itself is a decision you can make.<br> <p> </div> Sat, 07 Sep 2019 16:47:57 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798661/ https://lwn.net/Articles/798661/ Cyberax <div class="FormattedComment"> So isolate all of them. The "active countermeasures" nonsense is just crap. There's not much you can do once an attacker is in and you have to let them continue.<br> </div> Fri, 06 Sep 2019 20:35:53 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798660/ https://lwn.net/Articles/798660/ Cyberax <div class="FormattedComment"> This is actually an example where isolation is the best policy. <br> </div> Fri, 06 Sep 2019 20:33:06 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798649/ https://lwn.net/Articles/798649/ cpitrat <div class="FormattedComment"> 1) A single critical server.<br> I didn't say there was a single one. There can be multiple one and they all get compromised at (more or less) the same time by the same person.<br> 2) Accessible through the Internet.<br> If the service is available through the Internet, that's unavoidable. The server could have been exploited through the service it provides.<br> 3) To a script kiddie.<br> See 2)<br> </div> Fri, 06 Sep 2019 18:19:23 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798635/ https://lwn.net/Articles/798635/ Cyberax <div class="FormattedComment"> There are so many things wrong with this picture:<br> 1) A single critical server.<br> 2) Accessible through the Internet.<br> 3) To a script kiddie.<br> <p> <font class="QuotedText">&gt; This is just one scenario. This seems like a flexible solution that allows for some interesting tools.</font><br> This seems like an overengineered solution for a non-problem.<br> </div> Fri, 06 Sep 2019 16:58:25 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798634/ https://lwn.net/Articles/798634/ cpitrat <div class="FormattedComment"> For a more concrete example, the degraded mode could be a self driving car pulling over or giving back control to the driver.<br> </div> Fri, 06 Sep 2019 16:54:39 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798633/ https://lwn.net/Articles/798633/ cpitrat <div class="FormattedComment"> For example if the host is supporting a critical service, then switching to a highly protected mode (think read-only, potentially degraded mode) allows to continue serving while investigating rather than having a DoS caused by a script kiddy doing a prank.<br> <p> This is just one scenario. This seems like a flexible solution that allows for some interesting tools.<br> </div> Fri, 06 Sep 2019 16:53:11 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798630/ https://lwn.net/Articles/798630/ Cyberax <div class="FormattedComment"> <font class="QuotedText">&gt; You can easily imagine cases where isolating the host could have worse consequences than anything the attacker could do.</font><br> For example?<br> <p> <font class="QuotedText">&gt; Having ways to react automatically and limit attacker's possibilities is still useful.</font><br> Then why not do it from the start?<br> </div> Fri, 06 Sep 2019 16:24:41 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798602/ https://lwn.net/Articles/798602/ cpitrat <div class="FormattedComment"> You can easily imagine cases where isolating the host could have worse consequences than anything the attacker could do. Having ways to react automatically and limit attacker's possibilities is still useful.<br> <p> This could also be useful in honeypots.<br> </div> Fri, 06 Sep 2019 13:40:45 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798402/ https://lwn.net/Articles/798402/ Cyberax <div class="FormattedComment"> I consider SELinux to be an anti-feature and auditing a giant slowdown and a waste of time.<br> <p> <font class="QuotedText">&gt; mitigation based on the audited data</font><br> The only valid mitigation for a detected intrusion is to bring down or isolate the host.<br> </div> Wed, 04 Sep 2019 23:23:08 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798400/ https://lwn.net/Articles/798400/ kpsingh <div class="FormattedComment"> Would you consider audit and SELinux to be antiviruses? What KRSI intends to do is provide a unified API to flexibly configure auditing and (mitigation based on the audited data) very similar to what Linux does today but in multiple different places. <br> <p> Also "antivirus" is an overloaded term, I guess you mean it as something that detects and prevents malicious activity based on known signals?<br> <p> As to what could go wrong? We will find out when we try it :)<br> <p> </div> Wed, 04 Sep 2019 22:41:32 +0000 Kernel runtime security instrumentation https://lwn.net/Articles/798393/ https://lwn.net/Articles/798393/ Cyberax <div class="FormattedComment"> eBPF and LSM to create what is essentially an antivirus. Mmm... What could possibly go wrong?<br> </div> Wed, 04 Sep 2019 20:40:36 +0000